you are changing the topic. your original mail claimed to be worried about man-in-the-middle attacks. that means the attacker can respond to arbitrary traffic; the fact that you can verify the dns response is irrelevant if when you try to connect to the correct ip address the attacker handles it and you don't take advantage of ssl certificates to catch that.
True, unless DNS provides a certificate that is bound to the session in some way.
russ
Tim Newsham | www.thenewsh.com/~newsham | thenewsh.blogspot.com
