On Sep 12, 2013, at 11:07 AM, Theodore Ts'o <tytso@xxxxxxx> wrote: > Finally, if you think the target can try to find random caching > nameservers all across the networ to use, (a) there are certain > environments where this is not allowed --- some ISP's or hotel/coffee > shop/airline's networks require that you use their name server, and > (b) for good and proper reasons, most nameservers have been configured > not to allow recursive queries to random IP addresses. The model for this sort of validation is really not on a per-client basis, but rather depends on routine cross-validation by various DNSSEC operators throughout the network. This will not necessarily catch a really focused attack, so it's not a panacea, but it would limit the scope of the threat for this sort of attack.