DNSSEC and ISPs faking DNS responses

Tony Finch dot at dotat.at
Mon Nov 16 11:11:33 UTC 2015

Owen DeLong <owen at delong.com> wrote:

> Again, if you’re the only resolver the clients are using, you can claim that
> nothing from the root down is signed without ever providing any cryptographic
> anything.

If the client is validating it will know the root is signed and the ISP
resolver will not be able to strip signature without breaking validation.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Thames, Dover, Wight, Portland: Southwest 6 to gale 8, decreasing 5 for a
time, perhaps severe gale 9 later. Moderate or rough, occasionally very rough
later. Rain at times. Moderate or good, occasionally poor.

More information about the NANOG mailing list