Re: DNSSEC and ISPs faking DNS responses

[Tony Finch <dot () dotat at>]

Owen DeLong <owen () delong com> wrote:

> Again, if you’re the only resolver the clients are using, you can claim that
> nothing from the root down is signed without ever providing any cryptographic
> anything.

If the client is validating it will know the root is signed and the ISP
resolver will not be able to strip signature without breaking validation.

Tony.
-- 
f.anthony.n.finch  <dot () dotat at>  http://dotat.at/
Thames, Dover, Wight, Portland: Southwest 6 to gale 8, decreasing 5 for a
time, perhaps severe gale 9 later. Moderate or rough, occasionally very rough
later. Rain at times. Moderate or good, occasionally poor.