* Nick Lamb:

> On Sunday, 11 September 2016 21:05:12 UTC+1, Lee  wrote:
>> does dns hijacking or dns cache poisoning count as mitm?
>
> A careful CA validator does DNS only by making authoritative queries,
> so they're not subject to cache poisoning since they don't look at
> cached answers.

I'm not sure if you can resolve all domains without some sort of DNS
cache, in the sense that you never use data from one answer to satisfy
more than one query (which can be internally generated).

More reasonable would be to require that the resolver starts with a
cold cache (possibly preloaded with a copy of the root zone) and
performs DNSSEC validation starting with the IANA keys.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to