[Free-RTC] kamaillio script for federated communications
Emil Ivov
emcho at jitsi.org
Fri Jun 21 18:14:40 CEST 2013
On 21.06.13, 17:41, Olle E. Johansson wrote:
>
> 21 jun 2013 kl. 15:05 skrev Daniel Pocock <daniel at pocock.com.au
> <mailto:daniel at pocock.com.au>>:
>
>>> * The config uses DNS to establish the transport available on the
>>> remote proxy. It doesn't use DNSSEC to do this.
>>
>> I'm not sure if DNSSEC matters if the TLS certificate is valid - some
>> people may prefer to trust the TLS cert and not place any trust in the
>> DNSSEC trust model
>
> THat's quite a misguided statement. If DNS points to an incorrect
> destination that succeeds
> in providing a certificate that you accept - how can that be a good
> solution?
That's a bit inaccurate. If I am trying to reach jit.si through TLS and
a malicious DNS record sends me toward evil.example.com, it wouldn't be
enough for evil.example.com to just have a valid cert.
It would need to provide a valid certificate for jit.si
Emil
--
https://jitsi.org
More information about the Free-RTC
mailing list