On Mon, 30 Oct 2017, Konda, Tirumaleswar Reddy wrote:
An active attacker can drop DNS messages with DNSSEC records
The same attacker can block TLS to 8.8.8.8
set the CD bit in the DNS query, AD bit in the DNS response
That will do nothing to validating DNS servers, as they don't use those bits for anything.
clear the DNSSEC OK bit in the DNS query
That will return a BOGUS answer and will be detected as DoS attack.
or strip the DNSSEC data from the DNS response to disable DNSSEC (Section https://tools.ietf.org/html/rfc3225).
That will return a BOGUS or INDETERMINATE answer and will be detected as DoS attack. You have not shown any actual active attack against DNSSEC. You have only shown denial of service attaks by packet mangling/dropping. All of that applies equally to TLS. Paul _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy