Breaking trusted chain in dnssec
Tony Finch
dot at dotat.at
Wed Jul 13 14:30:47 UTC 2016
Georg Kahest <georg.kahest at internet.ee> wrote:
> On 07/13/2016 03:16 PM, Mark Andrews wrote:
> >
> > You have a delegation without a DS record.
>
> Or have a DS record without actual dnskey/rrsig records in the
> delegated zone.
Be aware that these are very different things!
Mark's suggestion creates an insecure subdomain, i.e. one that works but
lacks DNSSEC.
Georg's suggestion creates a bogus subdomain, i.e. one that does not work.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
North Fitzroy, Sole: Northwesterly 4 or 5 at first in east, otherwise variable
3 or 4, then becoming southerly 5 or 6 later in west. Moderate, occasionally
slight later in east. Rain later in west. Good, occasionally moderate later in
west.
More information about the bind-users
mailing list