> From: Warren Kumari <war...@kumari.net> > >> I suspect they're more interested in getting "registry lock" in place > >> rather than DNSSEC.
> >> Most of the attacks against Google have involved changing the name servers > >> completely .. > > > > Through social engineering and sometimes through directed attacks, yes. > > Sadly yes. I trust we all agree that cache attacks with non-random ports, fragmentation, or padding are irrelevant except perhaps indirectly through the general (lack of) value of DNSSEC that I claim better prevents cache attacks than random ports. Wouldn't DNSSEC have not made things worse and possibly made them better by: - making the social engineering more difficult by forcing the bad guys to change key as well as NS RRs - possibly making the bogus records fail to validate for a while at the start of the attack, thanks what might look like an unplanned KSK change. - possibly making the bogus records fail to validate sooner and so get ignored sooner after the registrar records are restored, again thanks to what might look like an unplanned KSK change. Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs