please move this stuff into DNS
Posted Dec 26, 2008 8:27 UTC (Fri) by weasel
In reply to: please move this stuff into DNS
Parent article: SSL man-in-the-middle attacks
I think the problem with putting the cert fingerprint into DNS is the application doesn't know if the response was secured by DNSSEC or not.
Unfortunately the article you link to only states the same fact as you, and does not even try to give an explanation, reason or argument.
At least ssh appears to be able to figure out if information it gets from DNS is secure or not. It does that by checking the AD bit in the dns response (see dns.c in its source and the VerifyHostKeDNS entry in the ssh_config manpage).
to post comments)