[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at cypherpunks.ca
Wed Oct 3 13:51:20 UTC 2012


On Tue, 2 Oct 2012, Andrew Sullivan wrote:

> Yep, I know.  But my point (which I apparently stated so badly that it
> was impossible to understand) is that it _doesn't matter_ if you can
> get DNSSEC out at the edge, if the application can't tell.

> No.  Rather, if I'm going to consume the TLSA record, I need some sort
> of confidence that the record was obtained securely.

Indeed.

If the application gets a TLSA record, it must have passed DNSSEC
validation, either on the localhost, in the app, or via an AD bit
over a VPN connection. Otherwise, you did not get a usable TLSA record.
I thought we agreed on that in RFC 6698 Section 8 (specifically, 8.3)

 	"For this reason, DNSSEC validation is best performed on-host,
 	 even when a secure path to an external validator is available."

Of course, this leaves out any talk about internal only zones, VPNs, and
internal TLSA records, where things become a little more complicated.

Paul



More information about the dns-operations mailing list