On 12/3/2014 4:08 PM, Matthew Gillen wrote:

The first flaw is DNSSEC to end clients.  There are two solutions to this:

That's not a flaw in DNSSEC. It's an expectation that is outside of the scope of DNSSEC.


The second issue was that DNSSEC has a built-in way to MITM it, where an
intermediary could strip out the info that indicated that a given domain
had DNSSEC records (the claim was this was forced for compatibility).  I
think Derek refuted that, and I have to believe that
what Richard claimed would defeat the whole purpose of DNSSEC.

Correct. Either you enforce DNSSEC and drop yourself into a black hole when a script kiddie plays games with UDP packets or you configure your security aware resolver to treat unsigned and stripped DNS answers as valid anyway. The former is not "protection"; it's locking your computer in a safe filled with concrete and dumping it down the Marianas Trench. The latter, well, what's the point of DNSSEC if you're going to ignore it?

Either way, DNSSEC really is pointless for end users.

--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to