[Discuss] free SSL certs from the EFF

[warlord at MIT.EDU (Derek Atkins)]

Richard Pieri <richard.pieri at gmail.com> writes:

> On 12/1/2014 1:42 PM, Derek Atkins wrote:
>> I think it depends very much on your definition of "Secure".  You are
>> correct that DNSsec does not provide any confidentiality services.
>> However it does indeed protect the data integrity from interloping
>> intermediaries and provide authenticated DNS Data.
>
> No, it doesn't. It only prevents cache poisoning when DNSSEC is
> enforced on your resolvers. If you do not enforce DNSSEC on your
> resolvers then your resolvers will accept any unsigned RRs including
> those that have had the RRSIG records stripped by malicious
> intermediaries.

Well, duh..  And if you don't check the validity of your TLS certs then
you can be MITM'ed too.  Of course DNSsec requires a DNSsec-aware
resolver; it cannot protect someone who doesn't want to be protected.
You can put a lock on your front door but it doesn't do any good if you
don't actually lock it!!

But you're looking at the wrong issue; DNSsec-capable resolvers exist
and have existed for years.  In fact I would bet your current Linux host
has a DNSsec-capable resolver.  It might not be turned on by default,
but they are definitely out there.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available