Alaric Dailey wrote:
As far as a fix for DNS, everyone hates hearing it, but the fix is
already out there no one wants to use it though
http://www.dnssec.com
I wouldn't say nobody wants to use it. I'd love to use it. See, e.g.,
https://bugzilla.mozilla.org/show_bug.cgi?id=342242 . I think it also
has a bunch of obvious applications in DNS-related anti-spam measures.
(e.g., I'd be pretty comfortable sending to /dev/null mail that failed
DKIM validation for something that was supposed to have it if the DKIM
DNS records were DNSSEC-verified; without that verification there's a
serious denial of service risk.)
That said, I'm not sure what good having support in Mozilla would mean
until the DNS root is signed, which I've been told hasn't happened yet.
Or would you want Mozilla to be responsible for verifying the keys for
every signed TLD, and perhaps even lower where the TLDs weren't signed?
-David
--
L. David Baron <URL: http://dbaron.org/ >
Technical Lead, Layout & CSS, Mozilla Corporation
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
