On Tue, Aug 19, 2008 at 11:15:12PM -0400, Dean Anderson wrote: > I don't know if anyone noticed, but in fact, according to RFC4035 the > delegation records and the glue records are not signed. A verifying > DNSSEC cache can be poised with bad glue records using the poisoning > attack, with only a slight change to the Kaminsky software.
Please outline exactly how you think this will work. I just re-read section 5 of RFC 4035, and I can't see how it can, assuming you do in fact have a set of valid trust anchors for some superordinate zone to the victim domain. A -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop