[dns-operations] Massive DNS poisoning attacks in Brazil

Andrew Sullivan ajs at anvilwalrusden.com
Wed Oct 3 15:09:26 UTC 2012

On Wed, Oct 03, 2012 at 09:51:20AM -0400, Paul Wouters wrote:
> If the application gets a TLSA record, it must have passed DNSSEC
> validation

I see.  So your model is that the application asks for a TLSA record,
and if it gets one then it can infer that the record also passed
validation?  Hrm.  That's an interesting answer, and it hadn't
occurred to me before that the application could rely on such an
inference.  How can the application be sure the resolver is



Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list