[Cerowrt-devel] Problems with DNSsec on Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Fri Oct 3 13:28:05 EDT 2014
On Fri, 03 Oct 2014 05:28:35 -0400, Anders Kaseorg said:
> This bottom-up algorithm also seems to have a security problem thatÂ’s
> just as bad as one with the top-down algorithm that you rejected below.
> Consider the same department.campus.university.edu example, where
> campus and edu are signed zones, and university is not a zone.
This issue is why trust anchors were devised so people could start deploying
DNSSEC before stuff like .COM got signed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20141003/557d9f89/attachment.sig>
More information about the Cerowrt-devel
mailing list