On 12/19/2015 10:27 AM, Always Learning wrote: > > On Sat, 2015-12-19 at 09:49 -0800, Alice Wonder wrote: > >> DNS verification solves that issue. > > How reliably safe is that ? > Crack the DNS access and inflict viruses, trojans etc. with authorised > impunity ? > > Happy Christmas. No, if you manage to crack the DNS you can not do anything but a DOS attack unless you also managed the get the DNSSEC signing key, which does not need (and should not be) to be on the DNS server. Manage to get the signing key, and the only consequence is the attacker can make fraudulent DNS entries that would validate - same as with GPG or any other private / public key cryptographic signatures.