
DNSSEC explained: Why you might want to implement it on your domain - c0r0n3r
https://www.csoonline.com/article/3569277/dnssec-explained-why-you-might-want-to-implement-it-on-your-domain.html#tk.rss_all
======
SimeVidas
I’m a simple man. Website shows fullscreen popup that interrupts me and also
scrolls the page to the top. I close the tab.

~~~
anatolinicolae
same.

~~~
sdiq
Repeating same is probably pointless by now but same, too.

~~~
dvfjsdhgfv
Not really, it helps to make a point.

Honestly, CSO folks. If you want my e-mail, try a bit harder than two
paragraphs of text and a popup. Yes, I'm your target audience.

------
brightball
Would be a worthwhile article to read if it wasn't pay walled.

------
MayeulC
The article is behind a paywall, but more to the point: why wouldn't I want
this?

It's opt-in at every registrar I've used, although it seems like a no-brainer
to me? What am I missing?

As an aside, I like DoH, but dislike the fact that my web browsers then don't
use /etc/hosts. Is there a way to provide it at the system level?

~~~
jessaustin
HN's resident DNSSEC critic, 'tptacek, has written extensively on this topic:

[https://sockpuppet.org/blog/2015/01/15/against-
dnssec/](https://sockpuppet.org/blog/2015/01/15/against-dnssec/)

[https://sockpuppet.org/stuff/dnssec-
qa.html](https://sockpuppet.org/stuff/dnssec-qa.html)

[https://sockpuppet.org/blog/2016/10/27/14-dns-nerds-dont-
con...](https://sockpuppet.org/blog/2016/10/27/14-dns-nerds-dont-control-the-
internet/)

~~~
Ajedi32
I find most of these arguments to be pretty weak TBH. From the first article:

> All secure crypto on the Internet assumes that the DNS lookup from names to
> IP addresses are insecure.

This isn't strictly true. It's true that TLS makes DNS spoofing ineffective
against end-users, but CAs still have to rely on domain validation to decide
who to issue TLS certs to in the first place, and domain validation, in turn,
relies on DNS lookups being secure.

> And governments control the DNS.

This is true, but that's an argument for not securing DNS, it's an argument
for replacing DNS entirely. Governments control DNS regardless of whether or
not DNSSEC is deployed.

> DNSSEC is Cryptographically Weak

No it isn't. _Current implementations_ of DNSSEC are cryptographically weak,
but DNSSEC itself is not. The solution to this is to deploy new, stronger keys
(like Cloudflare is doing[1]), not to get rid of DNSSEC entirely.

> DNSSEC is Expensive To Adopt [..] DNSSEC is Expensive To Deploy

This is true of all security measure to some extent. TLS was expensive to
adopt and deploy prior to the advent of free, automated CAs like Let's
Encrypt. The solution to these problems is to build tools and systems which
make DNSSEC easier to adopt and deploy, not to abandon it entirely.

-

The rest of the arguments on that page are reasonable criticisms of specific
elements of DNSSEC's design (some of which could be improved by changes to
DNSSEC's design or implementation), but I don't really see them as show-
stoppers. If there were a better alternative to DNSSEC available I would find
these arguments much more persuasive, but since the only alternative seems to
be not securing DNS records at all any small design flaws seem pretty minor in
comparison.

[1]: [https://www.cloudflare.com/dns/dnssec/ecdsa-and-
dnssec/](https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/)

~~~
tptacek
I love it when people bring up Cloud Flare's DNSSEC.

First, Cloud Flare's curve-based DNSSEC is itself already obsolete. New
designs don't use the P-curves, which are difficult to implement safely, and
they don't use DSA, which is also brittle and dangerous. For the last 10
years, the mainstream state of the art has been twist-secure curves like
Curve25519 and Schnorr-type signature schemes like EdDSA.

But equally importantly: the overwhelming majority of new DNSSEC deployments
today use RSA.

Modern cryptography is nowhere on the horizon for DNSSEC. A concerted
industrywide effort to use a safer signature scheme wouldn't see widespread
deployment before 2030.

------
Whatarethese
Can anyone put this on pastebin or something? Paywalled.

