
Can TLS 1.3 and DNSSEC make your network blind? - rajnathani
https://www.networkworld.com/article/3329858/lan-wan/can-tls-13-and-dnssec-make-your-network-blind.html
======
tptacek
Uh, what?

DNSSEC doesn't encrypt name lookups (it doesn't encrypt anything at all, which
is a great failure of the protocol).

~~~
rajnathani
I am unsure as to why the author used "DNSSEC" in the article title, as the
first sentence of the article refers to "Domain name system (DNS) over
transport layer security (TLS)", which is an explicit reference to DoT, and
not DNSSEC.

------
LinuxBender
Can TLS 1.3 and DNSSEC make my network blind?

Sure it could, but I control the edge. My edge recursive DNS servers can
simply ignore DNSSEC for specific zones or all zones. This capability is
supported by Unbound DNS. Whether or not this should be a thing is another
topic for discussion. Most clients are not aware of DNSSEC.

I could force all traffic through a MitM proxy which means that browsers and
API tools will be negotiating with whatever protocol and cipher suites I
choose. The proxy could then do TLS 1.3 to the destination. AFAIK there is no
way for clients to know in advance that the only allowed protocol is 1.3.

So I suppose the answer is yes, it they could, if you choose to let them.

