[dns-operations] Massive DNS poisoning attacks in Brazil
Paul Wouters
paul at cypherpunks.ca
Wed Oct 3 14:42:12 UTC 2012
On Wed, 3 Oct 2012, Paul Hoffman wrote:
> I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.
Why would the client even need a single trust anchor for this?
Current unbound dns-over-tls completely ignores the TLS. It is only used
to get out, not for any type of authentication of transport or data.
Paul
More information about the dns-operations
mailing list