[dns-operations] Massive DNS poisoning attacks in Brazil

Andrew Sullivan ajs at anvilwalrusden.com
Wed Oct 3 01:15:18 UTC 2012

On Wed, Oct 03, 2012 at 12:49:20AM +0000, Vernon Schryver wrote:
> web for most connected computers (e.g. phones).  Writing DNSSEC
> validation code for every application that depends on accurate DNS
> data would be as crazy as not using libraries and daemons for other
> local authentication and authorization.

Just in case it wasn't plain (I guess it wasn't), I am not arguing
that this is a good state of affairs.  I was merely arguing that
Paul's description of the problem is the wrong one.  There is no
validation at the edge at least in part because applications can't
consume it, so there's no point.  I have no idea whether the ability
to consume that validation information would change the state of
affairs, but it's certainly a necessary condition for TLSA use.


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list