[Discuss] free SSL certs from the EFF

[Richard Pieri]

Derek,

According to the DNSSEC specs, if there is no RRSIG record in the lookup 
answer then a properly behaved resolver will treat it as unsigned. 
Backwards compatibility with so-called insecure DNS is an explicit 
requirement of DNSSEC. So, what happens when a malicious actor inserts 
filters at an intermediary resolver or router that strip RRSIG records 
from DNS answers?

DNSSEC was never intended to protect you against that. It was designed 
to protect high-level caches -- root zones, ISP's, big data players, 
private networks, and the like -- from cache poisoning. That's it. Any 
benefits that might trickle down to you are incidental.

Never mind that DNSSEC has no means of rolling over the root KSKs. If a 
root is compromised then the whole domain hierarchy is compromised and 
there currently is no way to fix that other than disabling DNSSEC for 
the hierarchy or accepting loss of service for everything under that root.

Aside: It's DNSSEC. It is not DNSsec, nor DNS-SEC, nor dns-sec, nor 
DNS-sec, nor is it any variant that is not DNSSEC.

-- 
Rich P.