On Fri, Aug 22, 2008 at 11:53:02AM -0700, David Conrad wrote:
If you ensure the namespace and authorities are identical between the
two infrastructures, there are no technical issues (at least that I've
heard about).
{diving into a detail - the ARPA zone shares its NS RRSet with the root
On Fri, 22 Aug 2008, Blacka, David wrote:
So one can use poison on a validating DNSSEC resolver to achieve false
resolution for any new unsigned zone. Put another way, the bad guy
can create new delegations under opt-out NSEC3 records.
This fact is specifically mentioned in the Security
On 23 Aug 2008, at 13:52, Larson, Matt wrote:
And I should note that in the case of .com and .net zones signed with
NSEC3, rather than going to the trouble of spoofing a domain into
existence, a bad guy with ~USD 10 could just buy the domain.
Or give it back with 5 days and get the 10 bucks