Do dns-addressed links guarantee content authenticity?

From @dotchev on Sun Feb 12 2017 17:16:16 GMT+0000 (UTC)

Considering that a dns link of the form /ipns/ contains no public key hash, how can we be sure of the authenticity of the content it points to?
Isn’t it a security degradation compared to normal ipns links?

Copied from original issue:

From @Kubuxu on Sun Feb 12 2017 17:25:44 GMT+0000 (UTC)

If DNS takeover/spoofing is part of your threat model, yes.

We use DNS to resolve them to hash links, so if DNS service is compromised they hash link can be replaced.

From @kcolford on Thu Mar 30 2017 18:49:52 GMT+0000 (UTC)

@Kubuxu On that note, do you use DNSSEC validation on your gateways (to prevent such spoofing where an administrator has set it up correctly)?

From @Kubuxu on Fri Mar 31 2017 09:26:36 GMT+0000 (UTC)

Not sure, cc @lgierth

If we are not, we might want to do that.

From @lidel on Fri Mar 31 2017 09:57:23 GMT+0000 (UTC)

This may be helpful:

From @lgierth on Fri Mar 31 2017 22:38:14 GMT+0000 (UTC)

Yeah we might want to have IPNS check DNSSEC signatures. Low priority for now, but I’ll happily support pull requests.

From @Kubuxu on Fri Mar 31 2017 22:54:48 GMT+0000 (UTC)

I think it is more of a infrastructure thing, having local resolver working with DNSSEC.