root hints operation
Mark Andrews
marka at isc.org
Wed Nov 18 04:02:14 UTC 2015
In message <564BE747.40002 at tnetconsulting.net>, Grant Taylor writes:
> On 11/17/2015 03:22 PM, Mark Andrews wrote:
> > Given the root zone is signed and most of the TLD's are also signed
> > there is little a rogue operator can do besides causing a DoS if
> > you validate the returned answers.
>
> This quite from Twitter seems appropriate: DNSSEC only protects you
> from getting bad answers. If someone wants you to get no answers at all
> then DNSSEC cannot help.
As I said. It doesn't protect you from a Denial of Service.
> I think it would be possible for a rogue operator to completely hide
> DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS. Thus it
> would then be possible to do some nefarious things.
>
> I think the only thing that would help thwart this type of behavior is
> for clients to do DNSSEC validation themselves. (It's my understanding
> that most do not.)
If your recursive server is validating then you are protected from a
rogue root server.
If your application is validating then you are protected from a
rogue root server and a rogue recursive server.
Mark
> --
> Grant. . . .
> unix || die
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list