VerifyHostKeyDNS, was Re: Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30
Tomas Mraz
tmraz at redhat.com
Thu Oct 13 08:51:13 UTC 2011
On Thu, 2011-10-13 at 10:29 +0200, Benny Amorsen wrote:
> Tomas Mraz <tmraz at redhat.com> writes:
>
> > And if this malicious DNS administrator controls the caching
> > nameserver you're using for DNS queries, he can present you ANY data
> > even 'valid' fake DNSSEC data.
>
> This is not generally true. Resolver libraries can (and should, IMHO)
> verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless,
> because it is precisely when you are stuck behind an untrusted Wifi
> gateway that you need DNSSEC the most.
Yes, they can and should. But they don't.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the devel
mailing list