[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Hoffman paul.hoffman at vpnc.org
Wed Oct 3 15:10:15 UTC 2012

On Oct 3, 2012, at 7:42 AM, Paul Wouters <paul at cypherpunks.ca> wrote:

> On Wed, 3 Oct 2012, Paul Hoffman wrote:
>> I fully agree with all of this, but it leaves the question: what about tunneling DNS in TLS-over-HTTP? The earlier statement about why this would not work (corporations getting MITM certificates from bad actors in the root pile) doesn't actually apply because the client will have a single TLS trust anchor, possibly even one not even in the root pile.
> Why would the client even need a single trust anchor for this?

For non-validating stubs.

> Current unbound dns-over-tls completely ignores the TLS. It is only used
> to get out, not for any type of authentication of transport or data.

Right: a validating stub who is using HTTP-over-TLS only as tunneled DNS transport has no need to known the identity of the other party.

--Paul Hoffman

More information about the dns-operations mailing list