Hello On Fri, Nov 22, 2013 at 10:07:51AM +0000, Dave Cridland wrote: > - If an attacker removes the record by fiddling with the DNS, then they > can mount an MITM attack. Note that they can also fiddle the DNS into > redirecting the connection too. It's not clear if this makes things any > harder than before. > > - If an attacker adds in a TLSA record, this could act as a denial of > service. > > On reflection, I'm not sure if this is actually an overall benefit, but I > thought I'd throw the idea out.
I didn't read the RFC, but my impression was that it mandated TLSA is always signed by DNSSEC. So, the right thing should probably be to ignore and warn about unsigned TLSA records, not to honor them. With regards -- Look! Behind you! Michal 'vorner' Vaner
signature.asc
Description: Digital signature
