On Thu, 24 Apr 2025 at 18:45, Stephane Bortzmeyer <[email protected]> wrote:
> On Wed, Apr 23, 2025 at 11:19:26AM +0530, > tirumal reddy <[email protected]> wrote > a message of 450 lines which said: > > > > * In Section 3, "However, this approach is ineffective when DNSSEC > > > is deployed given that DNSSEC ensures the integrity and > > > authenticity of DNS responses, preventing forged DNS responses > > > from being accepted." There are assumptions about DNSSEC > > > deployment baked into this statement. In practice, it has little > > > preventative force. > > > > > > > The existing text in Section 3 is intended to describe the behavior > > when DNSSEC is deployed, and is agnostic to the actual deployment > > levels of DNSSEC globally. It makes no claim about how commonly > > DNSSEC is used in practice. > > I suspect that Mark was not referring to the size of the DNS > deployment but to the fact that there are several deployment > strategies possible. For instance, DNSSEC validation can be done on a > remote resolver (ISP, corporate network) but also on a resolver local > to the machine. In the first case, forged DNS responses won't be a > problem for DNSSEC is the forgery is done by the remote resolver. > The scenario where a validating resolver forges responses and returns them to a client while still claiming DNSSEC validation success is particularly concerning. This would constitute a breach of trust, as it effectively lies to the client, undermining the integrity guarantees DNSSEC was designed to provide. I think that such behavior should not be encouraged and therefore prefer not to discuss or imply support for such deployment patterns in the document. -Tiru
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
