On Thu, Nov 12, 2015 at 09:54:42AM -0800, Paul Hoffman <paul.hoff...@vpnc.org> wrote a message of 43 lines which said:
> If the NXDOMAIN response is not signed, it allows an attacker to > block resolution of a name that was good, yes? I do not see why it's new: without DNSSEC, a resolver can be poisoned, "NXDOMAIN cut" or not. It is the case today. [The only new thing is the possibility to deny existence of not just a name but an entire subtree. Again, the solution is to use DNSSEC.] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop