[dns-operations] Opened Pandora's box of Cache Poisoning

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat May 3 16:48:27 UTC 2014

On Sun, May 04, 2014 at 01:43:06AM +0900,
 Daisuke Kotani <daisuke at kotachi.com> wrote 
 a message of 66 lines which said:

> One thing that should be noted in the "Additional Page" is that the
> jp. name servers directly delegate example.ac.jp to the
> authoritative servers of it, and no RR of QNAME "ac.jp."

Yes, it happens in many places, for instance for gouv.fr (try

The "Pandora box" documents repeat quite often that it is a special
case for poisoning but they don't explain why and they don't explain
why it makes a specific vulnerability. So, I stay skeptical.

> DNSSEC does not sign NS RRs for delegation (See RFC4035 Sec.2.2),
> therefore DNSSEC cannot verify the integrity of delegation.

That's well known from the beginning of DNSSEC and I do not see what's
the relationship with the issue of "domains which are not a zone"
(like gouv.fr or ac.jp).

More information about the dns-operations mailing list