VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

Benny Amorsen benny+usenet at amorsen.dk
Thu Oct 13 08:29:19 UTC 2011


Tomas Mraz <tmraz at redhat.com> writes:

> And if this malicious DNS administrator controls the caching
> nameserver you're using for DNS queries, he can present you ANY data
> even 'valid' fake DNSSEC data.

This is not generally true. Resolver libraries can (and should, IMHO)
verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless,
because it is precisely when you are stuck behind an untrusted Wifi
gateway that you need DNSSEC the most.


/Benny



More information about the devel mailing list