[dns-operations] Massive DNS poisoning attacks in Brazil
Paul Wouters
paul at cypherpunks.ca
Wed Oct 3 13:51:20 UTC 2012
On Tue, 2 Oct 2012, Andrew Sullivan wrote:
> Yep, I know. But my point (which I apparently stated so badly that it
> was impossible to understand) is that it _doesn't matter_ if you can
> get DNSSEC out at the edge, if the application can't tell.
> No. Rather, if I'm going to consume the TLSA record, I need some sort
> of confidence that the record was obtained securely.
Indeed.
If the application gets a TLSA record, it must have passed DNSSEC
validation, either on the localhost, in the app, or via an AD bit
over a VPN connection. Otherwise, you did not get a usable TLSA record.
I thought we agreed on that in RFC 6698 Section 8 (specifically, 8.3)
"For this reason, DNSSEC validation is best performed on-host,
even when a secure path to an external validator is available."
Of course, this leaves out any talk about internal only zones, VPNs, and
internal TLSA records, where things become a little more complicated.
Paul
More information about the dns-operations
mailing list