|
|
|
|
|
|
by cryptonector
1497 days ago
|
|
|
The root zone doesn't change often. You can pin . or even run your own private . with pinned . content if you don't trust the root. If you do, then you get MITM protection. If you don't, but choose to use QName minimization, you still get a modicum of MITM protection: because the attacker would have to choose to get in the middle without having enough knowledge of whether a particular upcoming TLS connection (or whatever) will be of particular interest. Really, DNSSEC is infinitely better than the WebPKI, even WebPKI+CT, especially when DNSSEC clients use QName minimization, and even more so when clients pin copies of . from time to time. |
|
|