On Jul 16, 2024, at 00:06, Di Ma via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Di Ma > Review result: Ready with Issues > > This version adds more discussions about DNSSEC to priming exchange, which I > think need clearer statements. > > In this document, the authors say “With such resolvers, an attacker that > controls a rogue root server effectively controls the entire domain name space > and can view all queries and alter all unsigned data undetected.” > > However, this is not true when a DNSSEC-aware resolver has been configured with > one or more Trust Anchors from some TLDs. In such case, it is not safe to say > "an attacker that controls a rogue root server effectively controls the entire > domain name space". Thank you for your review. Your addition is technically accurate, but that configuration is not known to be common. Further, your note would apply to any level in the DNS hierarchy, and describing it would be difficult in a document that is about priming the root. If there is any research that indicates widespread use of such TLD-or-below trust anchors, that would be really interesting to hear about. --Paul Hoffman -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
