On 17/09/2016 16:30, Florian Weimer wrote:
* Nick Lamb:

On Sunday, 11 September 2016 21:05:12 UTC+1, Lee  wrote:
does dns hijacking or dns cache poisoning count as mitm?

A careful CA validator does DNS only by making authoritative queries,
so they're not subject to cache poisoning since they don't look at
cached answers.

I'm not sure if you can resolve all domains without some sort of DNS
cache, in the sense that you never use data from one answer to satisfy
more than one query (which can be internally generated).

Of cause you can, it's just not what normal programs do (because for
normal programs, DNS caching is good).

More reasonable would be to require that the resolver starts with a
cold cache (possibly preloaded with a copy of the root zone) and
performs DNSSEC validation starting with the IANA keys.

While DNSSEC validation should be done where present, not all
certificate requests will come from DNSSEC signed domains.  After all,
if they did, DANE would soon be a substitute for DV certs.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list

Reply via email to