Tod Beardsley 🏴‍☠️

3 months ago • •

Tod Beardsley 🏴‍☠️
3 months ago • •

I, humbly, consider myself pretty conversant in the basics of (modern and classical) cryptography and information security.

For most of my career, I've been mystified as to what problem #DNSSEC purports to solve.

Has there ever been a case of a DNS-based attack (spoofing, hijacking, transfer, DDoS, etc) that's been thwarted by DNSSEC? Or, in the reverse, has there been an attack that was successful that DNSSEC would have solved?

I don't know what it is, but the upsides of DNSSEC just hasn't clicked in my brain.

#dnssec

in reply to Tod Beardsley 🏴‍☠️

Seirdy

in reply to Tod Beardsley 🏴‍☠️ • 3 months ago • •

I just see it as a dependency for HTTPS (and by extension, Encrypted Client Hello), SVCB, and CAA records with account- and method-binding extensions.

in reply to Seirdy

Anton

in reply to Seirdy • 3 months ago • •

yes - but how can you trust the CAA records?
Let's Encrypt uses multiple locations in different networks, so you'd have to tamper with more than one DNS resolver/network, but with DNSSEC you get the ability to trust the data in DNS as well.
MTA-STS does not require DNSSEC. Instead, it relies on TLS certificate validation for providing the trust.

in reply to Anton

Seirdy

in reply to Anton • 3 months ago • •

i was not thinking of email. but yes that is sort of what I was getting at: everything I mentioned allows trust in the DNS to complement but not replace trust in other systems.

This entry was edited (3 months ago)

⇧