On Sep 12, 2013, at 11:07 AM, Theodore Ts'o <ty...@mit.edu> wrote: > Finally, if you think the target can try to find random caching > nameservers all across the networ to use, (a) there are certain > environments where this is not allowed --- some ISP's or hotel/coffee > shop/airline's networks require that you use their name server, and > (b) for good and proper reasons, most nameservers have been configured > not to allow recursive queries to random IP addresses.
The model for this sort of validation is really not on a per-client basis, but rather depends on routine cross-validation by various DNSSEC operators throughout the network. This will not necessarily catch a really focused attack, so it's not a panacea, but it would limit the scope of the threat for this sort of attack. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
