[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?
postmaster at dtnx.net
Mon Feb 24 18:28:56 UTC 2014
Last Friday, Apple released a patch for iOS 6/7 that fixes a bug in
their recent SSL implementation. Without the fix, iOS is vulnerable to
MITM attacks by attackers 'in a privileged network position', allowing
them to intercept and influence SSL connections. OS X Mavericks (10.9)
is still vulnerable at this time.
There's been quite a bit of discussion about this over the past few
days, but DNSSEC has been kind of absent from that.
I've been wondering whether DNSSEC would provide any mitigation for
such an attack, if there validating resolver between me and the
attacker? As this is kind of at the edge of my current understanding of
things, I figured I'd ask here.
So what if; a) my target zone is signed, b) the local network is
sufficiently trustworthy, c) this local network has a validating
resolver, and d) firewalling rules that enforce the use of this
resolver for DNS resolution.
Would an attacker between me and the target zone, but outside the local
network, still be able to impersonate a trusted endpoint in the target
zone by exploiting a bug like this?
My intuition says no, because the connection would be interrupted by a
DNSSEC failure before it ever starts a SSL handshake with the endpoint?
I could be wrong on this, but if so, I'd like to know where the fault
in my reasoning lies :-)
More information about the dns-operations