On Fri, 22 Aug 2008, Blacka, David wrote: > >So one can use poison on a validating DNSSEC resolver to achieve false > >resolution for any "new" unsigned zone. Put another way, the bad guy > >can create new delegations under opt-out NSEC3 records. > > This fact is specifically mentioned in the Security Considerations > section of RFC 5155, so, true.
And I should note that in the case of .com and .net zones signed with NSEC3, rather than going to the trouble of spoofing a domain into existence, a bad guy with ~USD 10 could just buy the domain. Matt _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop