Sadly not. Let's say you have an on-path attacker. Your DNS lookup returns the right IP address, validated by DNSSEC, but the attacker is intercepting traffic to that address.
OK, but you have DANE to help validate the site's certificate. The attacker presents the right certificate (after all it is public information) so DANE and DNSSEC say it is good. At this point things ought to break - the attacker does not have the private key matching the certificate. But Apple's code failed to check the signature properly. So you end up talking to the attacker, but thinking you have authenticated the legitimate site. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ North Bailey: Southeasterly backing northeasterly 6 to gale 8, occasionally severe gale 9. Rough or very rough. Rain or showers. Moderate or good. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
