Do dns-addressed links guarantee content authenticity?

[dotchev]

Considering that a dns link of the form /ipns/exmple.com contains no public key hash, how can we be sure of the authenticity of the content it points to?
Isn't it a security degradation compared to normal ipns links?

[Kubuxu]

If DNS takeover/spoofing is part of your threat model, yes.

We use DNS to resolve them to hash links, so if DNS service is compromised they hash link can be replaced.

[kcolford]

@Kubuxu On that note, do you use DNSSEC validation on your gateways (to prevent such spoofing where an administrator has set it up correctly)?

[Kubuxu]

Not sure, cc @lgierth

If we are not, we might want to do that.

[lidel]

This may be helpful:

• https://dnssec-debugger.verisignlabs.com
• http://dnsviz.net/d/ipfs.io/analyze/

[ghost]

Yeah we might want to have IPNS check DNSSEC signatures. Low priority for now, but I'll happily support pull requests.

[Kubuxu]

I think it is more of a infrastructure thing, having local resolver working with DNSSEC.

[madavieb]

This issue has been moved to https://discuss.ipfs.io/t/do-dns-addressed-links-guarantee-content-authenticity/462.