26Oca
Does DNSSEC prevent man-in-the-middle at all?
I just watched a video on DNS that explained that if there is a man-in-the-middle or if someone has taken over your resolver, DNSSEC can prevent the responses from being tampered with because the client can verify that the owner of the zone has signed the resource records. I think I have a grasp of the basics of how DNSSEC works.
There is one thing I don't understand though, the optional nature of DNSSEC.
Because DNS-sec is optional, is there anything that prevents the main-in-the-middle from crafting a malicious response and claiming that DNSSEC isn't supported in that zone?
