[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?

Tony Finch dot at dotat.at
Mon Feb 24 19:12:26 UTC 2014

Sadly not.

Let's say you have an on-path attacker. Your DNS lookup returns the right
IP address, validated by DNSSEC, but the attacker is intercepting traffic
to that address.

OK, but you have DANE to help validate the site's certificate. The
attacker presents the right certificate (after all it is public
information) so DANE and DNSSEC say it is good.

At this point things ought to break - the attacker does not have the
private key matching the certificate. But Apple's code failed to check the
signature properly. So you end up talking to the attacker, but thinking
you have authenticated the legitimate site.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
North Bailey: Southeasterly backing northeasterly 6 to gale 8, occasionally
severe gale 9. Rough or very rough. Rain or showers. Moderate or good.

More information about the dns-operations mailing list