With DNSSEC, a security aware resolver will want to check the
signature.
Except for glue A.
which makes DNSSEC as insecure as plain old DNS.
Um, I think I disagree.
Given a system with many points of compromise and a system with fewer
points of compromise, other things being equal, I think it's fair to
say the latter is more secure, even if successful compromises lead to
approximately equal levels of damage.
Is the difference in this case substantial? I don't know; I haven't
looked at any of the attacks in enough detail to have more than wild
guesses at their difficulties. But I think "as insecure as" is
inaccurate, even if the truth is something more like "only marginally
more secure than".
In particular, domains that do not need glue records are not threatened
by this. (Of course, their nameserver address records need securing,
or there is a similar attack that could work. But it increases the
complexity of the attack at the very least, and once the root zone is
signed it will be theoretically possible, at least, to avoid the
problem completely.)
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse(_at_)rodents-montreal(_dot_)org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg