[185882] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Nov 16 06:11:40 2015
X-Original-To: nanog@nanog.org
Date: Mon, 16 Nov 2015 11:11:33 +0000
From: Tony Finch <dot@dotat.at>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <9A14E989-8633-4937-BE46-7D27F5747235@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Owen DeLong <owen@delong.com> wrote:
> Again, if you=E2=80=99re the only resolver the clients are using, you can=
claim that
> nothing from the root down is signed without ever providing any cryptogra=
phic
> anything.
If the client is validating it will know the root is signed and the ISP
resolver will not be able to strip signature without breaking validation.
Tony.
--=20
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Thames, Dover, Wight, Portland: Southwest 6 to gale 8, decreasing 5 for a
time, perhaps severe gale 9 later. Moderate or rough, occasionally very rou=
gh
later. Rain at times. Moderate or good, occasionally poor.
