Usually, DNSSEC can stop cache poisoning attack. And for such event where the Resource Records are wrongly updated, maybe the method provided by draft-jabley-dnsop-dns-flush-00 is useful to flush the bad resource records on recursive DNS servers.
Guangqing Deng CNNIC From: Hosnieh Date: 2013-08-28 15:03 To: Joe Abley CC: dnsop WG Subject: Re: [DNSOP] wouldn't it be nice if there was an automatic mechanism to help with this? Follow up, If you have a secure mechanism that does not allow attackers to do cache poisioning on the client's stub resolver, then this solve the problem of malicious websites as well. Best, Hosnieh
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
