On 06.09.2013, at 10:49, Stephane Bortzmeyer <[email protected]> wrote:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700, > Paul Vixie <[email protected]> wrote > a message of 68 lines which said: > >> Florian Weimer wrote: >>> >>> Because DNSSEC does not prevent cache poisoning, it only detects it. >> >> i do not understand this statement. > > The way I understand it: with Kaminsky and/or Shulman, you can still > poison a DNS cache. The downstream validating resolver will detect it > and send back SERVFAIL to the end user. But this end user won't be > able to connect to his/her bank. > > So, DNSSEC turned the poisoning attack from a hijacking attack to a > DoS. > Might be the appropriate time to think how to depend less on caching is now? Or cache only after validation? Daniel _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
