10 Dec
2021
10 Dec
'21
8:38 a.m.
Mark Andrews wrote:
Just saying, facts are on my side. Check the number of times dnssec caused an outage. Then check the number of hacks prevented by dnssec. Literally 0.
How do you know? Unless you investigated every single time DNSSEC validation returned bogus to get to the root cause you cannot know. How?
Because most birthday attacks for plain DNS will fail, you can almost always know DNSSEC answer is bogus by comparing answers from DNSSEC and plain DNS. That the root cause may not be known is not a problem. Masataka Ohta