Hacker News new | past | comments | ask | show | jobs | submit login

Does anyone know if Let's Encrypt supports DNSSEC validation? I mean, do their data center recursive DNS servers do DNSSEC validation?

I'm wondering how easy it would be to forge DNS responses to their servers checking that I control a domain name.

DNSSEC is enforced at the resolvers.

Thanks. Since my zones are secured with DNSSEC that makes me feel a bit safer.

How would you MITM their connection to the DNS servers, though?

You don't need to MITM, if you can predict the request and get your spoofed response in faster than the real server.

If the server randomizes both the Query-ID and source port, the attacker has less than 1/100000000 chance of sending a valid reply: http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#fi...

An attacker can send more than one packet, and likely make multiple attempts to 'verify' the domain under attack. If the attack window is 1 second, and an attacker can source 1 million (spoofed) packets per second, and the server is using the full space for source port and query ids, and there's a single resolver, the attacker can get a cert fraudulently issued about 1 out of 4000 times.

DNSSEC makes that much harder, so it's nice that their resolvers are using it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact