I have been wondering about this.
For a resolver behind a NAT firewall that removes port randomization,
it is possible for an attacker to spoof the priming query ( only 16 bits of
ID protection ).
If root-servers.net is unsigned, it's not possible for the resolver to validate
the set of root IP addresses, meaning that
(a) An attacker can control every unsigned zone.
(b) An attacker can monitor every request to a signed zone ( no privacy ).
(c) An attacker can deny service to any zone, on a selective basis.
Apparently there are currently no plans to sign root-servers.net
The main argument against seems to be that the priming query
response size (with DO=1) would be greatly increased.
Any thoughts?
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
