Theoretically, DNS cache poisoning shouldn't matter,because everything important is protected by SSL and IPsec.
- So why DNSSec was developed?
- Aren't the first two protocols sufficient?
Theoretically, DNS cache poisoning shouldn't matter,because everything important is protected by SSL and IPsec.
SSL and TLS provide transport security, but after DNS resolving. So if the DNS cache has been poisoned the connection will go to the wrong server.
But after the connection has been made and the TTL of the DNS is ie. a day and then the dns poisoning takes place this has no effect anymore, because the client will do no dns resolving (because he already knows where to connect to...).
The two technologies are designed for different applications.
IPsec isn't traditionally used across the Internet, but rather on local networks. It also requires networking infrastructure that supports IPsec, which isn't common in SOHO routers and other non-enterprise equipment.
DNSSEC works across the Internet, and is designed to provide a form of PKI for DNS. It doesn't provide transport security, but it does help prevent DNS hijacking.