[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?

Paul Hoffman paul.hoffman at vpnc.org
Mon Feb 24 19:09:06 UTC 2014

On Feb 24, 2014, at 10:28 AM, DTNX Postmaster <postmaster at dtnx.net> wrote:

> I've been wondering whether DNSSEC would provide any mitigation for 
> such an attack, if there validating resolver between me and the 
> attacker?

Not in this case. The Apple bug allows an MITM to use the real certificate for the attacked site, while simply making up a private key. 

Paul W's incorrect answer assumes a bug where the MITM needs to have a valid certificate. That is the most common case, but not the one relevant here; the Apple bug allowed a certificate for which the private key didn't match.

--Paul Hoffman

More information about the dns-operations mailing list