Derek,

According to the DNSSEC specs, if there is no RRSIG record in the lookup answer then a properly behaved resolver will treat it as unsigned. Backwards compatibility with so-called insecure DNS is an explicit requirement of DNSSEC. So, what happens when a malicious actor inserts filters at an intermediary resolver or router that strip RRSIG records from DNS answers?

DNSSEC was never intended to protect you against that. It was designed to protect high-level caches -- root zones, ISP's, big data players, private networks, and the like -- from cache poisoning. That's it. Any benefits that might trickle down to you are incidental.

Never mind that DNSSEC has no means of rolling over the root KSKs. If a root is compromised then the whole domain hierarchy is compromised and there currently is no way to fix that other than disabling DNSSEC for the hierarchy or accepting loss of service for everything under that root.

Aside: It's DNSSEC. It is not DNSsec, nor DNS-SEC, nor dns-sec, nor DNS-sec, nor is it any variant that is not DNSSEC.

--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to