DNSSEC and CVE-2012-1033 (Ghost domain names)

Tony Finch dot at dotat.at
Mon Feb 13 22:31:44 UTC 2012

Florian Weimer <fw at deneb.enyo.de> wrote:
> Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
> not extend too far into the future?

It depends on the TTL of the DS record or its proof of nonexistence.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
North FitzRoy, Sole: Northerly or northwesterly 5 to 7. Moderate becoming
rough. Occasional drizzle. Good, occasionally moderate.

More information about the bind-users mailing list