In <https://www.isc.org/software/bind/advisories/cve-2012-1033>, ISC writes:
> ISC continues to recommend that organizations with security needs > who are reliant on the Domain Name System proceed with adoption of > DNSSEC; DNSSEC is the best known method of mitigating this issue. But ISC provides no details about *how* exactly DNSSEC will solve the problem. I'm puzzled. In the ghost domain names attack, the child zone is controlled by the bad guy, who wants the domain to stick. So, he will certainly not sign it. Unless you make DNSSEC mandatory, how will you solve the ghost domain problem with DNSSEC? If the resolver is sticky (will not go to the parent to ask the NS RRset), it won't check the NSEC at the parent either... Is it because the resolver, even if sticky, re-queries the parent when the negative TTL of the (missing) DS records ends? And chokes when it receives back a NXDOMAIN? _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
