On Sun, Aug 17, 2008 at 8:23 PM, Jim Reid <[EMAIL PROTECTED]> wrote:
> I suspect you're talking about the absurdly hypothetical scenario where > someone gets a non DNSSEC-aware resolving server to lookup some RRSIG, then > the zone is resigned, then they ask that server for the QTYPE that the > already cached RRSIG once signed. Not that hypothetical. Its just another attack vector. And one that would work well against non signed zones. A non DNSSEC resolver could be used to poison DNSSEC aware resolvers. In any case - DNSSEC is a dead issue. The problem here is UDP. We have to move to a more reliable transport. TCP with UDP fallback? Thats easy to do and will still take years to deploy. The network is slow when it comes to upgrading. Just imagine the impact DNSSEC will have. Not very much. The large corporations who swallow the commercial BIND fud will be first to deploy. But most of the world won't bother and once the world discovers DNSSEC give root control over to ICANN the net result will be a black eye for ICANN. Poor little ICANN can't afford more scrutiny. Their market share in root services has gone from 100% to 70%. Thats not impressive. If it were not for my putting an end to the European HEX that amount today would be more like 40%. Back then the HEX accounted for a 5% drop in ICANN's market share of root services. later joe baptista -- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop