On 12/3/2014 10:52 AM, Derek Atkins wrote:
Actually, it was designed to protect against that.  I sat in the
IETF meetings where that was explicitly discussed.  If an intermediary
strips the DNSSEC records out then a resolver expecting DNSSEC will
force a validation error.

Which results in a denial of service for clients if DNSSEC is enforced. That's not protecting users; that's dumping them into black holes.


Well, it sort of does, but it's not easy.  But this is why they use
ZSKs.  The Root Zone KSK is mightily protected.

So, too, allegedly, were the keys at DigiNotar.

--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to