root hints operation
Grant Taylor
gtaylor at tnetconsulting.net
Wed Nov 18 02:49:43 UTC 2015
On 11/17/2015 03:22 PM, Mark Andrews wrote:
> Given the root zone is signed and most of the TLD's are also signed
> there is little a rogue operator can do besides causing a DoS if
> you validate the returned answers.
This quite from Twitter seems appropriate: DNSSEC only protects you
from getting bad answers. If someone wants you to get no answers at all
then DNSSEC cannot help.
I think it would be possible for a rogue operator to completely hide
DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS. Thus it
would then be possible to do some nefarious things.
I think the only thing that would help thwart this type of behavior is
for clients to do DNSSEC validation themselves. (It's my understanding
that most do not.)
--
Grant. . . .
unix || die
More information about the bind-users
mailing list