Hello, Last Friday, Apple released a patch for iOS 6/7 that fixes a bug in their recent SSL implementation. Without the fix, iOS is vulnerable to MITM attacks by attackers 'in a privileged network position', allowing them to intercept and influence SSL connections. OS X Mavericks (10.9) is still vulnerable at this time.
There's been quite a bit of discussion about this over the past few days, but DNSSEC has been kind of absent from that. I've been wondering whether DNSSEC would provide any mitigation for such an attack, if there validating resolver between me and the attacker? As this is kind of at the edge of my current understanding of things, I figured I'd ask here. So what if; a) my target zone is signed, b) the local network is sufficiently trustworthy, c) this local network has a validating resolver, and d) firewalling rules that enforce the use of this resolver for DNS resolution. Would an attacker between me and the target zone, but outside the local network, still be able to impersonate a trusted endpoint in the target zone by exploiting a bug like this? My intuition says no, because the connection would be interrupted by a DNSSEC failure before it ever starts a SSL handshake with the endpoint? I could be wrong on this, but if so, I'd like to know where the fault in my reasoning lies :-) Mvg, Joni _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
