In article <E64EBBA5-3520-4E6A-9F00-6A884C383FE7@virtualized.org> you write:
On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
What affect will Allegedly Secure DNS have on such provider hijackings, both of DNS and crammed-in content?
If what Verizon is doing is rewriting NXDOMAIN at their caching servers, DNSSEC will _not_ help. Caching servers do the validation and the insertion of the search engine IP addresses in the response would occur after the validation.
Regards, -drc
All you have to do is move the validation to a machine you control to detect this garbage. dnssec-enable yes; dnssec-validation yes; forward only; forwarders { <Verizon's caching servers>; }; dnssec-lookaside . trust-anchor <dlv registry>; All lookups which Verizon has interfered with from signed zones will fail. Mark