On Tue, Aug 26, 2008 at 05:25:44PM -0400, Dean Anderson wrote: > An actual poisoning of a non-verifing DNSSEC cache, yes. This is pretty
Wait a minute. You're proposing to show that "a DNSSEC cache" that doesn't actually do DNSSEC (whatever that would mean) can be poisoned? I'm not sure I see the reasoning. I don't think that a positive result would be very big news at all -- in my view, a DNSSEC cache that doesn't validate responses is, well, not a DNSSEC cache at all. Is your concern that a DNSSEC-aware recursing resolver, with validation turned off, can be poisoned even though it correctly handles all the DNSSEC-requesting questions from a stub resolver, and correctly handles the data from a DNSSEC-offering server, in the case where Mallory can win the race and answer the non-validating DNSSEC-aware resolver before the legitimate server? A -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
