logoalt Hacker News

thunderforkyesterday at 7:30 PM2 repliesview on HN

>It's just that most clients don't perform local validation due to low adoption.

From your link elsewhere, https://easydns.com/blog/2015/08/06/for-dnssec/

>We might see a day when HTTPS key pinning and the preload list is implemented across all major browsers, but we will never see these protections applied in a uniform fashion across all major runtime environments (Node.js, Java, .NET, etc.)[...]

Is this not the same flaw?

Replies

ekr____yesterday at 7:43 PM

It's actually not safe for clients to perform local validation because a quite significant fraction of middleboxes and the like strip out RRSIG and the like or otherwise tamper with the records in such a way that the signatures don't validate.

indoleringyesterday at 7:32 PM

No! Because it's totally possible for operating system vendors to flip that switch without requiring every upstream project to adopt key pinning. It's MUCH less infrastructure to upgrade.