Shane Kerr wrote: >>>I think we all understand that it is possible to inject bad data into >>>the DNS at the parent. > I "the parent" in the same sense as in RFC 1034 - the delegating level. > So, for EXAMPLE.COM this would be COM. If you mean COM zone, it is not necessary to inject any data into the zone. You, instead, can inject a forged certificate into some cache used by your victim. It will be extremely easy if people are deceived that DNSSEC were so secure that no proteciton on cache were necessary. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf