[dns-wg] What about the last mile, was: getting DNSSEC deployed

David Conrad wrote:
>>     NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS
> ...
>> As noted, dnssec can protect against spoofed dns info.
> 
> Except DNSSEC wouldn't really be applicable.
> 
> The attack (as I understand it) provides a new IP address (that of an
> attacker-owned caching resolver) to clients on a LAN attached to the
> broadband router, with the attacker-owned caching resolver returning
> answers to stub resolver queries.  Since validation is done at the
> caching resolver, DNSSEC wouldn't apply.

It would apply in the (theoretical) subset of applications that are
configured to rely on signed and validated responses, like hopefully
windows/osx/mozilla/other software updaters could be configured to do.
It could also apply to an even more theoretical future browser feature
that uses a mechanism similar to the shiny gold SSL padlock icon to
indicate a signed and validated response, but the value of that would
be limited to the subset of users who wouldn't just click "go to the
site anyway" like they do with SSL warnings now.

Doug

-- 
    If you're never wrong, you're not trying hard enough