Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

Wrong (EDIT: oops, I am wrong) current.cvd.clamav.net is (EDIT:) NOT currently DNSSEC-signed.

Just that their dnsquery() via freshclam daemon is not using val_res_query() when pulling in the version number, so it is unverified DNS querying going on … over there.



But there's no chain from the root, or at least that's what I'm getting from this tool [1].

[1] https://dnssec-analyzer.verisignlabs.com/clamav.net


NASTY! You’d be right. I too did not get the ‘ad’ notation in my own dig response record.

This mean, any TXT record can easily be spoofed via a simple transparent MitM packet munging.

https://dnssec-analyzer.verisignlabs.com/current.cvd.clamav....


> Wrong (EDIT: oops, I am wrong) current.cvd.clamav.net is (EDIT:) NOT currently DNSSEC-signed.

When it's better to just delete and replace a comment.


There's no DS record for clamav.net at all. They're not signed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: