* Nick Lamb: > On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: >> does dns hijacking or dns cache poisoning count as mitm? > > A careful CA validator does DNS only by making authoritative queries, > so they're not subject to cache poisoning since they don't look at > cached answers.
I'm not sure if you can resolve all domains without some sort of DNS cache, in the sense that you never use data from one answer to satisfy more than one query (which can be internally generated). More reasonable would be to require that the resolver starts with a cold cache (possibly preloaded with a copy of the root zone) and performs DNSSEC validation starting with the IANA keys. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
