David Wilson wrote: >>As has been discussed in the thread, DNSSEC is NOT a protection >>against cache poisoning, because caches poisoned with forged >>certificate breaks the security. > I think you need to explain how this happens in detail. In detail??? See below. > With DNSSEC, a security aware resolver will want to check the signature. Except for glue A. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf