From a19807eb78cad2dbbf697a8140eff06d14f03fa0 Mon Sep 17 00:00:00 2001 From: Ashley Chiu Date: Wed, 31 Jan 2024 15:48:23 -0800 Subject: [PATCH] [dnssec] typo --- network/dnssec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/dnssec.md b/network/dnssec.md index 14bb328..73e2986 100644 --- a/network/dnssec.md +++ b/network/dnssec.md @@ -299,7 +299,7 @@ This response has the final answer `A` type record and a signature on the final Remember that DNS is designed to be fast and lightweight. However, public-key cryptography is slow, because it requires math. As a result, name servers that support DNSSEC sign records _offline_--records are signed ahead of time, and the signatures saved in the server along with the records. When the server receives a DNS query, it can immediately return the saved signature without computing it. -Offline signing works fine for existing domains, but what if we receive a request for a nonxistent domain? There are infinitely many nonexistent domains, so we cannot sign them all offline. However, we cannot sign requests for nonexistent domains _online_ either, because this is too slow. Also, online cryptography makes name servers vulnerable to an attack. Sanity check: what's the attack?[^3] +Offline signing works fine for existing domains, but what if we receive a request for a nonexistent domain? There are infinitely many nonexistent domains, so we cannot sign them all offline. However, we cannot sign requests for nonexistent domains _online_ either, because this is too slow. Also, online cryptography makes name servers vulnerable to an attack. Sanity check: what's the attack?[^3] DNSSEC has a clever solution to this problem--instead of signing individual nonexistent domains, name servers pre-compute signatures on _ranges_ of nonexistent domains. Suppose we have a website with three subdomains: