Formal proofs expose long standing cracks in DNSSEC - Help Net Security
www.helpnetsecurity.com
DNSSEC research reveals validation gaps and operational risks, showing how protocol design and resolver behavior can undermine DNS security.

DNSSEC is meant to stop attackers from tampering with DNS answers. It signs records so resolvers can verify that data is authentic and unchanged. Many security teams assume that if DNSSEC validation passes, the answer can be trusted. New academic research suggests that assumption deserves closer scrutiny. Researchers from Palo Alto Networks, Purdue University, the University of California Irvine, and the University of Texas at Dallas present an analysis of DNSSEC that goes beyond bug … More → The post Formal proofs expose long standing cracks in DNSSEC appeared first on Help Net Security.

  • DeebsterEnglish
    8·
    1 day ago

    Off the top of my head, this will cause client lookups to always be as slow as the slowest server, as well as increasing server loads. You could perhaps request from more than three servers and use the first replies, but then you’re increasing server loads even more and not necessarily even looking at the responses.

    Also, if the error/attack is higher in the DNS hierarchy, all the edge servers would report the same incorrect data.