On Thu, 2011-10-13 at 10:29 +0200, Benny Amorsen wrote:
> Tomas Mraz <tmraz@xxxxxxxxxx> writes:
>
> > And if this malicious DNS administrator controls the caching
> > nameserver you're using for DNS queries, he can present you ANY data
> > even 'valid' fake DNSSEC data.
>
> This is not generally true. Resolver libraries can (and should, IMHO)
> verify DNSSEC themselves. Otherwise DNSSEC is somewhat pointless,
> because it is precisely when you are stuck behind an untrusted Wifi
> gateway that you need DNSSEC the most.
Yes, they can and should. But they don't.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
