I notice there is a weakness in DNSSEC-aware resolvers which is the root public key. If hackers can disrupt the pre-stored root trust anchor, the resolvers can not resolve any domain due to chain of trust not established. But is that a big deal.
No, not at all. ISPs are required to supply 2 or more resolvers to clients. Even one resolver breaks down, the other will serve immediately. The chance of hackers damage two resolvers at the same time is quite limited.
No comments:
Post a Comment