On Tue, 13 May 2014, Ben Laurie wrote:
OK, good point: zone cuts need to also be verified.
The other case is injection of a custom DS RRset. How would we tell the
difference between the legitimate zone owner adding a DS record or an
attacker/parent zone owner adding one?
The legitimate owner can tell - that's the point, right?
How does that help protect a non-owner user of someone's site being
attacked with a targetted attack? If I don't run victim.com, and I am
just a visitor of victim.com, but only I am given rogue DNSSEC records,
how can I tell something is wrong? I would go to the public log and see
the DS I received is not in there?
(I'm late in this discussion, so I wouldn't know how this gets
authenticated by the consumer and the victim.com's owner, especially
if the parent could do a hostile takeover)
Paul
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
