[148060] in cryptography@c2.net mail archive
Re: [Cryptography] DNSSEC = completely unnecessary?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Nov 6 17:39:43 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <alpine.LFD.2.10.1311061658210.6067@bofh.nohats.ca>
Date: Wed, 6 Nov 2013 22:35:03 +0000
From: Ben Laurie <ben@links.org>
To: Paul Wouters <paul@cypherpunks.ca>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>,
Kelly John Rose <iam@kjro.se>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 6 November 2013 22:02, Paul Wouters <paul@cypherpunks.ca> wrote:
> On Wed, 6 Nov 2013, Ben Laurie wrote:
>
>>>> How did DNS get this magic un-MITM-able property?
>>>>
>>>> Surely if the GoC wants to cause nohats.ca to be modified, for some
>>>> specific target(s), they can do that?
>>>
>>>
>>> He didn't say it isn't MITM-able. He said that it cannot do so
>>> invisibly. In his model Eve would be able to perform a MITM attack, but
>>> it would be immediately apparent to any party since the public
>>> information would have to change.
>>
>>
>> I got what he said. Its not true.
>
>
> I could send my DNS queries over tor or over an IPsec VPN to some resolver.
And if you are not the target, you will not see the targetted response.
Likewise, the same thing could be done with HTTPS...
> You are asuming my DNS goes out my network port in a way you can read
> it and with private key of the root or TLD sent me custom answers.
_You_ get the standard answers.
The target gets the custom answers.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
