These are, to an extent, separate problems. Having good host keys lets you know if someone is trying to spoof you. A spoof through DNS cache poisoning is either a penetration (of sorts) if you don't detect the spoof, or a denial of service if you do. DNSSEC tries to prevent the denial of service scenario by not directing you to bogus sites. Granted, there's still the spoofed traffic problem, but it requires the attacker to be close (in the network) to either the target server or the target client, and potentially requires capturing a lot of packets. This is a much higher bar than injecting a bogus DNS entry.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds