[On 20 Mar, @13:54, bert wrote in "Re: secondary behavior with DN ..."] > On Thu, Mar 20, 2003 at 10:48:46AM +0100, Miek Gieben wrote: > > > This difference with DNS is obvious, with DNS a secondary that was not up to > > date was bad, but it was still sort of usable. With DNSSEC a secondary that is > > longer out of date than the signature lifetime is disastrous - it causes the > > local removal of a TLD (in this case). > > I also see interesting DoS possibilities here - DNSSEC does not offer any > additional protection against spoofing, except that cached answers will be > recognized as being spoofed, but only by DNSSEC aware clients and not by > generic recursors. > > So by spoofing in a badly signed NL NS record, the TLD vanishes for all > secure clients of that poisoned recursor.
This is already known, if a secure resolver sits behind a non-secure recursor you'r on your own. grtz Miek -- :wq! #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
