[dns-operations] .com/.net DNSSEC operational message

George Barwood george.barwood at blueyonder.co.uk
Fri Oct 29 22:37:14 UTC 2010


----- Original Message ----- 
From: "Joe Abley" <jabley at hopcount.ca>
To: "George Barwood" <george.barwood at blueyonder.co.uk>
Cc: <bmanning at vacation.karoshi.com>; "DNS-OARC DNS Operations" <dns-operations at mail.dns-oarc.net>; "Florian Weimer" <fweimer at bfk.de>
Sent: Friday, October 29, 2010 10:57 PM
Subject: Re: [dns-operations] .com/.net DNSSEC operational message



On 2010-10-29, at 17:54, George Barwood wrote:

>> A single successful spoof of  the priming query allows an attacker to intercept and log all queries to the root
>> ( assuming root-servers.net is left unsigned ).

>How is that different if ROOT-SERVERS.NET is signed?

If the resolver validates the IP addresses of the root servers, the attack can be defeated.

The resolver would need to treat the priming glue addresses as temporary, and retry until
it has an authoritative IP address for a root server.

One way of describing it is "only cache authoritative data".

George

> Joe


More information about the dns-operations mailing list