← Back to context

Comment by thunderfork

4 hours ago

>It's just that most clients don't perform local validation due to low adoption.

From your link elsewhere, https://easydns.com/blog/2015/08/06/for-dnssec/

>We might see a day when HTTPS key pinning and the preload list is implemented across all major browsers, but we will never see these protections applied in a uniform fashion across all major runtime environments (Node.js, Java, .NET, etc.)[...]

Is this not the same flaw?

2 comments

thunderfork

Reply
ekr____  4 hours ago

It's actually not safe for clients to perform local validation because a quite significant fraction of middleboxes and the like strip out RRSIG and the like or otherwise tamper with the records in such a way that the signatures don't validate.

indolering  4 hours ago

No! Because it's totally possible for operating system vendors to flip that switch without requiring every upstream project to adopt key pinning. It's MUCH less infrastructure to upgrade.