[Discuss] free SSL certs from the EFF
Richard Pieri
richard.pieri at gmail.com
Wed Dec 3 11:20:37 EST 2014
On 12/3/2014 10:52 AM, Derek Atkins wrote:
> Actually, it was designed to protect against that. I sat in the
> IETF meetings where that was explicitly discussed. If an intermediary
> strips the DNSSEC records out then a resolver expecting DNSSEC will
> force a validation error.
Which results in a denial of service for clients if DNSSEC is enforced.
That's not protecting users; that's dumping them into black holes.
> Well, it sort of does, but it's not easy. But this is why they use
> ZSKs. The Root Zone KSK is mightily protected.
So, too, allegedly, were the keys at DigiNotar.
--
Rich P.
More information about the Discuss
mailing list