DNSSEC and CVE-2012-1033 (Ghost domain names)
Casey Deccio
casey at deccio.net
Fri Feb 10 22:27:40 UTC 2012
On Fri, Feb 10, 2012 at 7:37 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>wrote:
> On Thu, Feb 09, 2012 at 12:38:42PM -0800,
> Casey Deccio <casey at deccio.net> wrote
> a message of 67 lines which said:
>
> > Actually, it should, in the spirit of DNSSEC.
>
> OK, so there is nothing that can be done at the registry level.
No.
> Only
> the resolver admin can use DNSSEC to solve the ghost domain problem,
> by enabling DNSSEC validation. Correct?
>
Yes. Unless future specification or implementation designated that
delegation follow the same model as trust--that is, that a delegation only
last as long as the parent said it did. But I'm not sure that's the right
approach, and this seems to me to be somewhat of a niche problem.
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120210/5f9a0c73/attachment.html>
More information about the bind-users
mailing list