[Discuss] free SSL certs from the EFF
Derek Atkins
warlord at MIT.EDU
Tue Dec 2 10:46:24 EST 2014
Richard Pieri <richard.pieri at gmail.com> writes:
> On 12/1/2014 1:42 PM, Derek Atkins wrote:
>> I think it depends very much on your definition of "Secure". You are
>> correct that DNSsec does not provide any confidentiality services.
>> However it does indeed protect the data integrity from interloping
>> intermediaries and provide authenticated DNS Data.
>
> No, it doesn't. It only prevents cache poisoning when DNSSEC is
> enforced on your resolvers. If you do not enforce DNSSEC on your
> resolvers then your resolvers will accept any unsigned RRs including
> those that have had the RRSIG records stripped by malicious
> intermediaries.
Well, duh.. And if you don't check the validity of your TLS certs then
you can be MITM'ed too. Of course DNSsec requires a DNSsec-aware
resolver; it cannot protect someone who doesn't want to be protected.
You can put a lock on your front door but it doesn't do any good if you
don't actually lock it!!
But you're looking at the wrong issue; DNSsec-capable resolvers exist
and have existed for years. In fact I would bet your current Linux host
has a DNSsec-capable resolver. It might not be turned on by default,
but they are definitely out there.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Discuss
mailing list