On 2024-03-18 10:33 +01, Philip Homburg <pch-dnso...@u-1.phicoh.com> wrote: > In your letter dated Mon, 18 Mar 2024 08:01:38 +0100 you wrote: >>On 2024-03-17 20:12 -07, internet-dra...@ietf.org wrote: >>> Internet-Draft draft-ietf-dnsop-ns-revalidation-06.txt is now available. It >>is >> >>| 7. Security Considerations >>| [...] >>| In case of non DNSSEC validating >>| resolvers, an attacker controlling a rogue name server for the root >>| has potentially complete control over the entire domain name space >>| and can alter all unsigned parts undetected. >> >>can alter *all* parts undetected. >> >>It's a non-DNSSEC validating resolver, it doesn't care about signed or >>unsigned. Maybe just drop that sentence, it doesn't add much. > > A non DNSSEC validation resolver may have downstream validators that can > detect changes to signed data. So an attacker that wishes to stay undetected > has to > be careful not to modify signed data.
ah yes, true. > > I guess the authors should add some clarifying text here to make clear why > in the case of a non validating resolver the attacker can only alter the > unsigned parts. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- In my defence, I have been left unsupervised. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
