What to do about DNS?
Posted Apr 12, 2007 7:26 UTC (Thu) by ekj
Parent article: What to do about DNS?
Even if you are certain you know the right address to use for a particular domain, you are not guaranteed that a connection made to that IP actually gets to your intended destination. In order to ensure that, you must have another layer of encryption such as HTTPS or ssh using verified keys.
Correct. And if you *do* have that -- then the DNSSEC part of the deal is completely pointless.
If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.
Knowing that DNSSEC is fakeable by the US-govt is just icing. Makes an already stupid idea completely irrelevant.
to post comments)