In your letter dated Mon, 18 Mar 2024 08:01:38 +0100 you wrote: >On 2024-03-17 20:12 -07, internet-dra...@ietf.org wrote: >> Internet-Draft draft-ietf-dnsop-ns-revalidation-06.txt is now available. It >is > >| 7. Security Considerations >| [...] >| In case of non DNSSEC validating >| resolvers, an attacker controlling a rogue name server for the root >| has potentially complete control over the entire domain name space >| and can alter all unsigned parts undetected. > >can alter *all* parts undetected. > >It's a non-DNSSEC validating resolver, it doesn't care about signed or >unsigned. Maybe just drop that sentence, it doesn't add much.
A non DNSSEC validation resolver may have downstream validators that can detect changes to signed data. So an attacker that wishes to stay undetected has to be careful not to modify signed data. I guess the authors should add some clarifying text here to make clear why in the case of a non validating resolver the attacker can only alter the unsigned parts. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
