[Free-RTC] kamaillio script for federated communications
Olle E. Johansson
oej at edvina.net
Mon Jun 24 09:03:38 CEST 2013
21 jun 2013 kl. 18:14 skrev Emil Ivov <emcho at jitsi.org>:
>
>
> On 21.06.13, 17:41, Olle E. Johansson wrote:
>>
>> 21 jun 2013 kl. 15:05 skrev Daniel Pocock <daniel at pocock.com.au
>> <mailto:daniel at pocock.com.au>>:
>>
>>>> * The config uses DNS to establish the transport available on the
>>>> remote proxy. It doesn't use DNSSEC to do this.
>>>
>>> I'm not sure if DNSSEC matters if the TLS certificate is valid - some
>>> people may prefer to trust the TLS cert and not place any trust in the
>>> DNSSEC trust model
>>
>> THat's quite a misguided statement. If DNS points to an incorrect
>> destination that succeeds
>> in providing a certificate that you accept - how can that be a good
>> solution?
>
> That's a bit inaccurate. If I am trying to reach jit.si through TLS and a malicious DNS record sends me toward evil.example.com, it wouldn't be enough for evil.example.com to just have a valid cert.
>
> It would need to provide a valid certificate for jit.si
Of course - that's the only one you should accept. (hopefully)
/O
More information about the Free-RTC
mailing list