31 Mar
2010
31 Mar
'10
10:12 a.m.
Hi McTim, et al, McTim wrote:
DNSSEC was designed to protect against a limited set of attacks, such as DNS cache poisoning, Man in the middle, etc. It provides: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC, if implemented, only provides security when you ask a question of the DNS database (in this case, Robert's browser had asked "what is the IP address of kenic.or.ke?"). It's nothing to do with https or CAs, self signed or not. That's a completely different layer.
DNSSEC aware browsers and resolvers would still be a challenge to end users. Alot more problems on end user infrastructure from firewalls that block tcp port 53, limit udp packets to 512 bytes. Regards, Michuki.