[Cryptography] DNSSEC = completely unnecessary?

Ben Laurie ben at links.org
Wed Nov 6 17:35:03 EST 2013


On 6 November 2013 22:02, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Wed, 6 Nov 2013, Ben Laurie wrote:
>
>>>> How did DNS get this magic un-MITM-able property?
>>>>
>>>> Surely if the GoC wants to cause nohats.ca to be modified, for some
>>>> specific target(s), they can do that?
>>>
>>>
>>> He didn't say it isn't MITM-able. He said that it cannot do so
>>> invisibly. In his model Eve would be able to perform a MITM attack, but
>>> it would be immediately apparent to any party since the public
>>> information would have to change.
>>
>>
>> I got what he said. Its not true.
>
>
> I could send my DNS queries over tor or over an IPsec VPN to some resolver.

And if you are not the target, you will not see the targetted response.

Likewise, the same thing could be done with HTTPS...

> You are asuming my DNS goes out my network port in a way you can read
> it and with private key of the root or TLD sent me custom answers.

_You_ get the standard answers.

The target gets the custom answers.


More information about the cryptography mailing list