It doesn't make it any less true either! A local attacker on a user's network can subvert DNSSEC trivially, but they can't subvert a DV cert issuance. DV cert mis-issuance due to domain spoofing is basically unheard of, but CT logs are a great improvement that really nails it.
Plenty of evidence for DNSSEC outages, plenty of evidence that DNSSEC does not in fact work, plenty of evidence of DNSSEC in DDOS attacks. Not end-to-end, broken crypto, downgrades, awful trust model, no end-user signaling. Don't use DNSSEC.
-
-
It is end-to-end as used for app security in DANE or to defend a resolver cache against poisoning. Yes, if you're using quad 8/9 you don't get MiTM protection, but you're not using DNSSEC the resolver operator is, (surprise!) non-users are not protected. The algs are good enough
-
It's end to end in neither case. Users aren't resolver caches or SMTP servers. This is "Well I locked the side door, so if the attacker goes there, we're good. Never mind the open front door" 'security'. - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.