On Mon, 18 Aug 2008, Jim Reid wrote:
> And why would these caching servers be signing anything? It's the > master server that signs the zone. I never said otherwise. Ok, I agree that totally DNSSEC-oblivious servers won't be a problem for DOS, but of course remain susceptible to poisoning even if the stub resolver and the authority server both implement DNSSEC. > Now if that resolving server does pay attention to the DO bit, it will > set it on the query it makes to the authoritative server. That makes > the authoritative server return an answer which will contain the new > RRSIG and the resolving server's cache is updated accordingly. Ok. So what about caching servers that do understand the DO bit but don't actually verify the responses? They just cache the response for the stub resolver to verify? These servers can still be poisoned with invalid record combinations that they pass on to stub resolvers, resulting in the DOS. Such servers may still be subject to the race condition I described. And the caching servers that do verify, are susceptible to the DOS attack I described. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop