[dns-operations] why does that domain resolve?

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Sat Jun 5 13:27:50 UTC 2021


On 05/06/2021 13.11, A. Schulze wrote:
> Is "being client centric" a candidate for a "dns-flag-day-2022"?
> Consider .com like to intercept gmail.com. Changing the delegation in .com would be enough. Really?

The parent has full control of its subtree anyway.  They can even roll 
the DNSSEC key of the child to anything.  Getting a TLS cert for "big 
names" will be hard without causing alarm, though (e.g. cert. 
transparency)... and you'd surely need that to intercept e-mail towards 
an end-client.

Recent discussion threads I see as related were around these two proposals:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-00.txt
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-delegation-only

--Vladimir



More information about the dns-operations mailing list