[governance] DNSSEC, was USG on ICANN - no movement here
John Levine
icggov at johnlevine.com
Mon Aug 11 17:55:48 EDT 2008
>For instance, in the case of Verisign adding a wildcard to the .com
>zone, there were secondaries that took out that resource record.
>DNSSEC will put a stop to the option of secondaries to change the
>content of the zone.
Secondaries? Of .COM? Really? Of a zone with 180 million records?
All the countermeasures I know to the .COM wildcard were ad-hoc hacks
in caches or resolvers that looked for the specific IP address in
VRSN's wildcard A record and pretended it got NXDOMAIN. You can still
do that with DNSSEC.
I agree that more complex spoofs like the ones where ISPs substitute
their own result for NXDOMAIN will be harder, but in general I think
that's more good than bad.
R's,
John
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list