[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?

Paul Wouters paul at nohats.ca
Tue Feb 25 16:28:16 UTC 2014

On Mon, 24 Feb 2014, Paul Hoffman wrote:

> On Feb 24, 2014, at 10:28 AM, DTNX Postmaster <postmaster at dtnx.net> wrote:
>> I've been wondering whether DNSSEC would provide any mitigation for
>> such an attack, if there validating resolver between me and the
>> attacker?
> Not in this case. The Apple bug allows an MITM to use the real certificate for the attacked site, while simply making up a private key.
> Paul W's incorrect answer assumes a bug where the MITM needs to have a valid certificate. That is the most common case, but not the one relevant here; the Apple bug allowed a certificate for which the private key didn't match.

Indeed. I was wrong. Thank you for the correction.


More information about the dns-operations mailing list