Derek and I had a good talk on the phone and some things I brought up are that if the domain usadotgov.net does get hijacked and the person does fiddle with things it could cause some issues if you are using a non-verifying DNSSEC resolver (not only this but .net domains can’t be signed at the registry yet) but the question becomes does the resolver go to the root or the .net for the information for a.usadotgov.net and do all resolvers work the same. What he was trying to convey is that since the records are signed and the government uses verfying resolvers there should be no issues.
I also brought up the fact that a country could send back spoofed records from the root servers as has happened before. If I can spoof a.usadotgov.net and look like I’m answering from l.root-servers.net then what happens. Hopefully this will all go away as DNSSEC is more widely deployed.
Update 3
I asked Paul Vixie the question below as I didn’t want to keep going back and forth on the issue.
“I guess my question is what happens to .org is usadotgov.net is hijacked, what damage can truly be done.”
His reply:
Such a hijacker could make any .gov name say anything they wanted it to say, as long as the software looking up the bad data wasn’t dnssec-aware.
Derek and I had a good talk on the phone and some things I brought up are that if the domain usadotgov.net does get hijacked and the person does fiddle with things it could cause some issues if you are using a non-verifying DNSSEC resolver (not only this but .net domains can’t be signed at the registry yet) but the question becomes does the resolver go to the root or the .net for the information for a.usadotgov.net and do all resolvers work the same. What he was trying to convey is that since the records are signed and the government uses verfying resolvers there should be no issues.
I also brought up the fact that a country could send back spoofed records from the root servers as has happened before. If I can spoof a.usadotgov.net and look like I’m answering from l.root-servers.net then what happens. Hopefully this will all go away as DNSSEC is more widely deployed.
Update 3
I asked Paul Vixie the question below as I didn’t want to keep going back and forth on the issue.
“I guess my question is what happens to .org is usadotgov.net is hijacked, what damage can truly be done.”
His reply:
Such a hijacker could make any .gov name say anything they wanted it to say, as long as the software looking up the bad data wasn’t dnssec-aware.