On Fri, Nov 12, 2021 at 3:09 PM Rubens Kuhl <rubensk@gmail.com> wrote:
DNSSEC would help here. NetSol's rogue nameserver wouldn't be able to produce the signed zone if validation were required.
Nope, they could just remove the DS since they are the registrar for that domain. DNSSEC only protects against a DNS provider going rogue, not your own hired registrar.
DNSSEC would help DNS for the non-expired domain because the rogue server would not have the key. To my mind, though, Netsol's server should not be responding with authoritative answers to random domains that aren't assigned to it. That it does makes me think it's a good candidate for black-holing in the routing system. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/