> I agree extra RRs are allowed, but I think they must be authentic. > So the worst attacker can do is to add RRs which are 'DNSSEC secure' > into the answer.
If the stub blindly takes the first RRset that matches qtype, then an attacker can insert its own RRset in front. If that is from a zone that is not DNSSEC secure then the validator will allow it and not set the AD bit. If it is from a DNSSEC secure zone, then the RRSIGs have to check out but the validator will set the AD bit if the original reply was secure. This can also be used to turn a NODATA reply into one that the stub resolver believes has an answer. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
