Author: Matt Corallo 2011-07-26 16:24:36
Published on: 2011-07-26T16:24:36+00:00
The email thread starts with Rick Wesson explaining that in the case of a coffee shop network, an upstream resolver can easily claim that the zone requested is not DNSSEC signed and return their data. He suggests implementing a full DNS resolver to make Bitcoin secure. Another user argues that this attack can apply to HTTPS with a self-signed cert where the A record is replaced by the attacker, but Windows has supported DNSSEC since 2008 and most Unix variants, Mac OSX since 10.3, and Android include DNSSEC capable resolvers.The discussion then moves on to whether DNSSEC is a good idea for Bitcoin address communication or if HTTPS has more advantages without significant drawbacks. The goal is to have a simpler user experience, but it seems implementing a full resolver with root trust anchors and knowledge of root servers in Bitcoin is not a good idea.
Updated on: 2023-05-18T21:29:09.238561+00:00