[dns-operations] DNSSEC in the root, please help me understand

Matthew Dempsky matthew at dempsky.org
Fri Jan 15 19:00:28 UTC 2010


On Fri, Jan 15, 2010 at 3:31 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> Not true. If a cracker redirects you to a non-DNSSEC root name server,
> the validating resolver, having a trust anchor for the root, will see
> there is a problem and will report it. (Same thing for other domains,
> with the DS record.)

I'm not talking about a non-DNSSEC root name server.  Even after the
root zone is signed, it still won't do any good for .com users (until
.com is signed too).  The root zone servers aren't signing the .com NS
records, and they aren't signing the gtld-servers glue records.



More information about the dns-operations mailing list