[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?
drc at virtualized.org
Sat Oct 11 10:37:49 EDT 2014
On Oct 11, 2014, at 1:24 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> So just to make sure I'm getting this right, Sonic are sending out DNSSEC-
> authenticated but invalid/spoofed/however you want to label them DNS
> As you say, the very thing that DNSSEC was designed to prevent?
Data between the resolver and the client application is not protected by DNSSEC. And, of course, the resolver can do anything it wants to the data it returns to the client application. DNSSEC can best be seen as protecting the integrity of the data that is entered into the resolver's cache.
The best (IMHO) way to protect that data is to run your own validating resolver locally (on the same machine as the client application).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the cryptography