In article <alpine.lrh.2.20.1612211059210.13...@bofh.nohats.ca> you write:
>>> Those malevolent actors are just as capable of using DNSSEC. >> >> A lot of the arguments I'm seeing here boil down to "my users are >> better off with a signed A record pointing to a site that installs >> Cryptolocker than with an unsigned NXDOMAIN or SERVFAIL." > >This comparison is false. Asking people to trust unsigned DNS, or >filtering out DNS without a signature of proof why it is filtered >is a downgrade attack on everything DNSSEC is supposed to protect >us from. Since DNSSEC doesn't protect us from people sending us malicious content, it's hard to understand what point you're making here. >For example, imagine the irony of the next DNSCHANGER to actually change >people's DNS configuration from ISP-issued resolver to enabling the >local full resolver to bypass rpz or government DNS filters. That's what DNSCHANGER has always done -- it gets answers from a DNS server controlled by the bad guys which returns whatever the bad guys want. Again, it's hard to understand what point you're making here. R's, John _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop