Even if you are certain you know the right address to use for a particular domain, you are not guaranteed that a connection made to that IP actually gets to your intended destination. In order to ensure that, you must have another layer of encryption such as HTTPS or ssh using verified keys.
Correct. And if you *do* have that -- then the DNSSEC part of the deal is completely pointless.
If I check the server-identity by the servers ssh-key or https-certificate or whatever, then I already know enough to know if I'm talking to the correct or a fake server.
Knowing that DNSSEC is fakeable by the US-govt is just icing. Makes an already stupid idea completely irrelevant.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds