Could a DNSSEC at level n manipulate a zone at level n+2?

Posted by jroith on Server Fault See other posts from Server Fault or by jroith
Published on 2011-02-05T12:45:52Z Indexed on 2011/02/05 15:27 UTC
Read the original article Hit count: 224

Filed under:

dnssec

With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are not be trusted, but to figure out how DNSSEC affects the power they could exercise in theory.)

For example:

ICANN owns the root zone
The .de zone is delegated to DENIC, Germany.
Assume example.de is delegated to some 3rd party.

Now, assuming DENIC does not remove example.de from their zone, would it be possible for them to redirect the subdomain abc.example.de elsewhere by returning signed records from the .de servers for abc.example.de ?

Similarly, would it be possible for the DNS root to easily return signed fake records of a third-level domain xy.z while the second-level zone z is not participating in this and is not affected otherwise?

Related posts about dnssec

DNSSEC - Ad Flag not activated

as seen on Server Fault - Search for 'Server Fault'
Hi all, I have some doubts regarding DNSSEC. I have one server acting as an Authoritative Name Server and another one as a Cache/Resolver. I'm using Bind 9.7.1-P2 and these are my configuration files: Named.conf (Authoritative Server) // Opciones de configuracion del servidor include "/etc/rndc… >>> More
How to find domain registrar and DNS hosting with good DNSSEC support?

as seen on Pro Webmasters - Search for 'Pro Webmasters'
Simplified problem I want to buy a domain and make a website that is fully secured with DNSSEC. Background I've been hearing about the insecurity of DNS for years. I've watched all of the talks by Dan Kaminsky and others from DNS exploits to The future of DNS Security Panel. I knew that using DNS… >>> More
DNSCurve vs DNSSEC

as seen on Server Fault - Search for 'Server Fault'
Can someone informed, please give a lengthy reply about the differences and advantages/disadvantages of both approaches? I am not a DNS expert, not a programmer. I have a decent basic understanding of DNS, and enough knowledge to understand how things like the kaminsky bug work. From what I understand… >>> More
DNSSEC - What doesn't it cover?

as seen on Server Fault - Search for 'Server Fault'
I'm currently revising for an exam to do with DNS/DNSSEC. While I know DNSSEC provides various security enhancements for DNS, I would like to dive a bit deeper(for my own thirst for knowledge!) and would like to know what is still problematic security wise even after DNSSEC is employed? After all… >>> More
Debian DNSSEC - howto secure a domain?

as seen on Server Fault - Search for 'Server Fault'
I have a beginner question about DNSSEC. I have much experience with TLS and cryptography-stuff and would like to try out this new technology. I have googled very much about this but I haven't found useful information for me. I think one confusion in information gathering is that "Debian howto DNSSEC… >>> More

Developer IT