[dns-operations] Massive DNS poisoning attacks in Brazil
Andrew Sullivan
ajs at anvilwalrusden.com
Wed Oct 3 15:09:26 UTC 2012
On Wed, Oct 03, 2012 at 09:51:20AM -0400, Paul Wouters wrote:
>
> If the application gets a TLSA record, it must have passed DNSSEC
> validation
I see. So your model is that the application asks for a TLSA record,
and if it gets one then it can infer that the record also passed
validation? Hrm. That's an interesting answer, and it hadn't
occurred to me before that the application could rely on such an
inference. How can the application be sure the resolver is
DNSSEC-aware?
Best,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list