Re: Quic: the elephant in the room

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Apr 11, 2021, at 7:56 AM, Phillip Hallam-Baker <phill@xxxxxxxxxxxxxxx> wrote:
> Only VERIFYING digital signatures provides security. And nobody knows what
> to do when DNSSEC validation fails so nobody really does it

This is false both in premise and conclusion.  I was tempted to ignore
the rest of the post, but ...

If nobody is ever going to check the sigs, they could simply be random bytes.

People are validating. See, e.g., https://stats.labs.apnic.net/dnssec

As you’re undoubtedly aware, validation failure results in a SERVFAIL response. In the case of an A or AAAA query, applications do not get an IP address back so it isn’t possible for users to "click through” to potentially compromised sites. Not an ideal error handling approach but arguably safer than alternatives.

Regards,
-drc

Attachment: signature.asc
Description: Message signed with OpenPGP

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux