Could a DNSSEC at level n manipulate a zone at level n+2?

Posted by jroith on Server Fault See other posts from Server Fault or by jroith
Published on 2011-02-05T12:45:52Z Indexed on 2011/02/05 15:27 UTC
Read the original article Hit count: 228

Filed under:

With some people wondering how DNSSEC could affect global censorship, I'd like to know if DNSSEC could protect a zone from being partially modified by a grandparent zone. (The point of this question is not to suggest that ICANN or it's members are not be trusted, but to figure out how DNSSEC affects the power they could exercise in theory.)

For example:

  • ICANN owns the root zone
  • The .de zone is delegated to DENIC, Germany.
  • Assume example.de is delegated to some 3rd party.

Now, assuming DENIC does not remove example.de from their zone, would it be possible for them to redirect the subdomain abc.example.de elsewhere by returning signed records from the .de servers for abc.example.de ?

Similarly, would it be possible for the DNS root to easily return signed fake records of a third-level domain xy.z while the second-level zone z is not participating in this and is not affected otherwise?

© Server Fault or respective owner

Related posts about dnssec