On 2010-11-22, at 10:43, Joe Greco wrote:

> It's funny, isn't it, didn't we just finish convincing the government
> of the need for DNSSEC, making the DNS system more resistant to some
> forms of tampering?

I guess if the manner of the interception was to send back SERVFAIL to DNS 
clients whose queries were (in some sense) objectionable, the result would be 
that the clients were not able to resolve the (in some sense) bad names. This 
would in effect be a selective denial of service attack to DNS clients.

DNSSEC provides no integrity protection over that type of interference -- you 
need to get an answer for the answer to have a signature, and without a 
signature there's nothing to check.


Joe


Reply via email to