George Barwood wrote:
> For a resolver behind a NAT firewall that removes port randomization,
You should also assume that the firewall traps all the packets to
port 53.
> it is possible for an attacker to spoof the priming query (only
> 16 bits of ID protection ).
Yes, it is possible even with signed root, because the client can't
directly ask name servers and must just rely on the firewall.
So, the answer is that root servers should not be signed, because
signing is useless.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
