[dns-operations] why does that domain resolve?
Vladimír Čunát
vladimir.cunat+ietf at nic.cz
Sat Jun 5 13:27:50 UTC 2021
On 05/06/2021 13.11, A. Schulze wrote:
> Is "being client centric" a candidate for a "dns-flag-day-2022"?
> Consider .com like to intercept gmail.com. Changing the delegation in .com would be enough. Really?
The parent has full control of its subtree anyway. They can even roll
the DNSSEC key of the child to anything. Getting a TLS cert for "big
names" will be hard without causing alarm, though (e.g. cert.
transparency)... and you'd surely need that to intercept e-mail towards
an end-client.
Recent discussion threads I see as related were around these two proposals:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation-00.txt
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-delegation-only
--Vladimir
More information about the dns-operations
mailing list