[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at cypherpunks.ca
Wed Oct 3 14:42:12 UTC 2012


On Wed, 3 Oct 2012, Paul Hoffman wrote:

> I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.

Why would the client even need a single trust anchor for this?

Current unbound dns-over-tls completely ignores the TLS. It is only used
to get out, not for any type of authentication of transport or data.

Paul



More information about the dns-operations mailing list