Education

All your DNSSEC base are belong to us

DNSSEC (Domain Name System Security Extensions) has been around since the mid-2000s and technically works well: it cryptographically signs DNS records so resolvers can verify that the answer they got really came from the authoritative server and wasn’t tampered with. Despite that, adoption and real-world deployment remain surprisingly low outside a few countries (notably .se, .nl, .cz and some others). Here’s why it never took off broadly, and why the rise of DNS over HTTPS (DoH) has made many people conclude that pushing DNSSEC further isn’t worth the effort anymore.

Read more “All your DNSSEC base are belong to us”
Snake Oil Threat Intel

DNSSEC – why not having a signed zone is…

Firstly, what is DNSSEC?

https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Ok read all that good. What we are talking about here is signing a DNS zone to “assure” that the client is getting DNS responses from the right ZONE data. DNSSEC does not encrypt the conversation between DNS client and DNS server. It does enable the client to be able to check if the data it gets back is valid. In short what we are doing is validating that the “data” being returned is authorized and not tampered with.

Read more “DNSSEC – why not having a signed zone is almost never going to lead to you getting pwn3d”
Copyright (c) Xservus Limited