DNSSEC and ISPs faking DNS responses
dot at dotat.at
Mon Nov 16 11:11:33 UTC 2015
Owen DeLong <owen at delong.com> wrote:
> Again, if you’re the only resolver the clients are using, you can claim that
> nothing from the root down is signed without ever providing any cryptographic
If the client is validating it will know the root is signed and the ISP
resolver will not be able to strip signature without breaking validation.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Thames, Dover, Wight, Portland: Southwest 6 to gale 8, decreasing 5 for a
time, perhaps severe gale 9 later. Moderate or rough, occasionally very rough
later. Rain at times. Moderate or good, occasionally poor.
More information about the NANOG