[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?

DTNX Postmaster postmaster at dtnx.net
Mon Feb 24 18:28:56 UTC 2014


Last Friday, Apple released a patch for iOS 6/7 that fixes a bug in 
their recent SSL implementation. Without the fix, iOS is vulnerable to 
MITM attacks by attackers 'in a privileged network position', allowing 
them to intercept and influence SSL connections. OS X Mavericks (10.9) 
is still vulnerable at this time.

There's been quite a bit of discussion about this over the past few 
days, but DNSSEC has been kind of absent from that.

I've been wondering whether DNSSEC would provide any mitigation for 
such an attack, if there validating resolver between me and the 
attacker? As this is kind of at the edge of my current understanding of 
things, I figured I'd ask here.

So what if; a) my target zone is signed, b) the local network is 
sufficiently trustworthy, c) this local network has a validating 
resolver, and d) firewalling rules that enforce the use of this 
resolver for DNS resolution.

Would an attacker between me and the target zone, but outside the local 
network, still be able to impersonate a trusted endpoint in the target 
zone by exploiting a bug like this?

My intuition says no, because the connection would be interrupted by a 
DNSSEC failure before it ever starts a SSL handshake with the endpoint? 
I could be wrong on this, but if so, I'd like to know where the fault 
in my reasoning lies :-)


More information about the dns-operations mailing list