On 12/3/2014 10:52 AM, Derek Atkins wrote:
Actually, it was designed to protect against that. I sat in the IETF meetings where that was explicitly discussed. If an intermediary strips the DNSSEC records out then a resolver expecting DNSSEC will force a validation error.
Which results in a denial of service for clients if DNSSEC is enforced. That's not protecting users; that's dumping them into black holes.
Well, it sort of does, but it's not easy. But this is why they use ZSKs. The Root Zone KSK is mightily protected.
So, too, allegedly, were the keys at DigiNotar. -- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
