[dns-operations] Trend/ISC DNS Changer takedown.

Paul Vixie paul at redbarn.org
Fri Nov 11 11:24:58 UTC 2011

> so, you're suggesting that some of those generous offers of alternative
name resolution will be malicious?  Well, in that case DNSSEC, were it
deployed, would indeed be able to help mitigate.

Not at present. The current deployment model for DNSSEC is "protect the
recursive cache, which the stub trusts absolutely." This is clearly not
going to make any difference when the recursive cache is untrustworthy, as
it was in both the DNS Changer situation and in the Brazil situation.

Stub validation is going to be necessary for a lot of reasons, including the
above, and including DNSSEC-aware apps like IETF DANE.

More information about the dns-operations mailing list