[Discuss] free SSL certs from the EFF
Richard Pieri
richard.pieri at gmail.com
Wed Dec 3 16:33:51 EST 2014
On 12/3/2014 4:08 PM, Matthew Gillen wrote:
> The first flaw is DNSSEC to end clients. There are two solutions to this:
That's not a flaw in DNSSEC. It's an expectation that is outside of the
scope of DNSSEC.
> The second issue was that DNSSEC has a built-in way to MITM it, where an
> intermediary could strip out the info that indicated that a given domain
> had DNSSEC records (the claim was this was forced for compatibility). I
> think Derek refuted that, and I have to believe that
> what Richard claimed would defeat the whole purpose of DNSSEC.
Correct. Either you enforce DNSSEC and drop yourself into a black hole
when a script kiddie plays games with UDP packets or you configure your
security aware resolver to treat unsigned and stripped DNS answers as
valid anyway. The former is not "protection"; it's locking your computer
in a safe filled with concrete and dumping it down the Marianas Trench.
The latter, well, what's the point of DNSSEC if you're going to ignore it?
Either way, DNSSEC really is pointless for end users.
--
Rich P.
More information about the Discuss
mailing list