[Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Oct 3 13:28:05 EDT 2014

On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said:

> This bottom-up algorithm also seems to have a security problem thatÂ’s 
> just as bad as one with the top-down algorithm that you rejected below. 
>   Consider the same department.campus.university.edu example, where 
> campus and edu are signed zones, and university is not a zone.

This issue is why trust anchors were devised so people could start deploying
DNSSEC before stuff like .COM got signed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20141003/557d9f89/attachment.sig>

More information about the Cerowrt-devel mailing list