| ▲ | thunderfork 6 hours ago | |
>It's just that most clients don't perform local validation due to low adoption. From your link elsewhere, https://easydns.com/blog/2015/08/06/for-dnssec/ >We might see a day when HTTPS key pinning and the preload list is implemented across all major browsers, but we will never see these protections applied in a uniform fashion across all major runtime environments (Node.js, Java, .NET, etc.)[...] Is this not the same flaw? | ||
| ▲ | ekr____ 6 hours ago | parent | next [-] | |
It's actually not safe for clients to perform local validation because a quite significant fraction of middleboxes and the like strip out RRSIG and the like or otherwise tamper with the records in such a way that the signatures don't validate. | ||
| ▲ | indolering 6 hours ago | parent | prev [-] | |
No! Because it's totally possible for operating system vendors to flip that switch without requiring every upstream project to adopt key pinning. It's MUCH less infrastructure to upgrade. | ||