[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

David Conrad drc at virtualized.org
Sat Oct 11 10:37:49 EDT 2014


Peter,

On Oct 11, 2014, at 1:24 AM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> So just to make sure I'm getting this right, Sonic are sending out DNSSEC-
> authenticated but invalid/spoofed/however you want to label them DNS
> responses?  

Not DNSSEC-authenticated.

> As you say, the very thing that DNSSEC was designed to prevent?

Not really.

Data between the resolver and the client application is not protected by DNSSEC.  And, of course, the resolver can do anything it wants to the data it returns to the client application.  DNSSEC can best be seen as protecting the integrity of the data that is entered into the resolver's cache.

The best (IMHO) way to protect that data is to run your own validating resolver locally (on the same machine as the client application).

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141011/f97bc988/attachment.sig>


More information about the cryptography mailing list