Reviewer: Di Ma Review result: Ready with Issues This version adds more discussions about DNSSEC to priming exchange, which I think need clearer statements.
In this document, the authors say “With such resolvers, an attacker that controls a rogue root server effectively controls the entire domain name space and can view all queries and alter all unsigned data undetected.” However, this is not true when a DNSSEC-aware resolver has been configured with one or more Trust Anchors from some TLDs. In such case, it is not safe to say "an attacker that controls a rogue root server effectively controls the entire domain name space". _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
