Could a DNSSEC at level n manipulate a zone at level n+2?
Posted
by
jroith
on Server Fault
See other posts from Server Fault
or by jroith
Published on 2011-02-05T12:45:52Z
Indexed on
2011/02/05
15:27 UTC
Read the original article
Hit count: 228
dnssec
With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are not be trusted, but to figure out how DNSSEC affects the power they could exercise in theory.)
For example:
- ICANN owns the root zone
- The .de zone is delegated to DENIC, Germany.
- Assume example.de is delegated to some 3rd party.
Now, assuming DENIC does not remove example.de from their zone, would it be possible for them to redirect the subdomain abc.example.de elsewhere by returning signed records from the .de servers for abc.example.de ?
Similarly, would it be possible for the DNS root to easily return signed fake records of a third-level domain xy.z while the second-level zone z is not participating in this and is not affected otherwise?
© Server Fault or respective owner