Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] free SSL certs from the EFF

Derek,

According to the DNSSEC specs, if there is no RRSIG record in the lookup 
answer then a properly behaved resolver will treat it as unsigned. 
Backwards compatibility with so-called insecure DNS is an explicit 
requirement of DNSSEC. So, what happens when a malicious actor inserts 
filters at an intermediary resolver or router that strip RRSIG records 
from DNS answers?

DNSSEC was never intended to protect you against that. It was designed 
to protect high-level caches -- root zones, ISP's, big data players, 
private networks, and the like -- from cache poisoning. That's it. Any 
benefits that might trickle down to you are incidental.

Never mind that DNSSEC has no means of rolling over the root KSKs. If a 
root is compromised then the whole domain hierarchy is compromised and 
there currently is no way to fix that other than disabling DNSSEC for 
the hierarchy or accepting loss of service for everything under that root.

Aside: It's DNSSEC. It is not DNSsec, nor DNS-SEC, nor dns-sec, nor 
DNS-sec, nor is it any variant that is not DNSSEC.

-- 
Rich P.
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org