* Ted Lemon: > On Mar 8, 2015, at 6:31 PM, Ralf Weber <d...@fl1ger.de> wrote: >> I was told that the difference is that a security aware resolver does >> not validate, but instead relies on the "Validating Stub Resolver" to >> protect the user. So it would handle all the DNSSEC processing to the >> authoritative and would store the records with signatures in the cache, >> but it wouldn't check if they are valid. > > Doesn't this create an opportunity for a DoS attack based on > poisoning the cache with a record that won't validate?
Yes, but that's inherent to DNSSEC and not specific to this configuration. For instance, you might cache bad glue records, which also prevents using DNSSEC to see that they are bad. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
