DNSSEC and CVE-2012-1033 (Ghost domain names)
Casey Deccio
casey at deccio.net
Mon Feb 13 23:59:28 UTC 2012
On Mon, Feb 13, 2012 at 2:31 PM, Tony Finch <dot at dotat.at> wrote:
> Florian Weimer <fw at deneb.enyo.de> wrote:
> >
> > Doesn't the DNSSEC-based mitigation rely on RRSIGs whose validity does
> > not extend too far into the future?
>
> It depends on the TTL of the DS record or its proof of nonexistence.
>
>
Of course, the TTL is also bounded by the expiration of the RRSIG.
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120213/4272c290/attachment.html>
More information about the bind-users
mailing list