In your previous mail you wrote: So please consider other options before repeating the holy mantra 'DNSSEC is the only solution'. => it is not a mantra but the reality: - transaction protection is not enough if we want to keep caching in the middle (the argument is it has to be a perfect protection to be efficient, a single hole somewhere can corrupt an unbound amount of clients) - data protection is the solution - the right granularity is the RRset because coarser (name for instance) is inefficient and finer (RR) is prone to specific DoS attacks - the needed protection is origin and integrity, this calls for a signature system So the complete solution for the cache poisoning issue is to sign RRsets. You can specify something new from zero but it shall look very similar to DNSSEC...
Regards [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop