On Tue, Aug 19, 2014 at 09:17:10PM +0200, Hosnieh Rafiee wrote: > A domain called www.example.com signed by DNSSEC A. > Client B wants to browse "www.example.com". > It asks the IP address of this from resolver C. Attacker D spoof the IP > address of resolver C and response to this query with the IP address of his > own server F. If the client supports DNSSEC then, the attacker sign > www.example.com with address of server F using his own key and sends it back > to client B.
DNSSEC detects this case. If you think it does not, you need to show how. I think you've misunderstood how DNSSEC works. In order for an attacker to do that, it has to be able to insert its own key on both sides of the zone cut. This works all the way up the chain until you get to the trust anchor, which the validator is supposed to have configured. You build this chain of trust from the root for each validation. If you think that can be subverted, you have to say how. Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
