On 11/17/2015 03:22 PM, Mark Andrews wrote:
Given the root zone is signed and most of the TLD's are also signed there is little a rogue operator can do besides causing a DoS if you validate the returned answers.
This quite from Twitter seems appropriate: DNSSEC only protects you from getting bad answers. If someone wants you to get no answers at all then DNSSEC cannot help.
I think it would be possible for a rogue operator to completely hide DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS. Thus it would then be possible to do some nefarious things.
I think the only thing that would help thwart this type of behavior is for clients to do DNSSEC validation themselves. (It's my understanding that most do not.)
-- Grant. . . . unix || die _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users