On 13/11/18 8:42 pm, Kim Holburn wrote:
On 2018/Nov/13, at 5:55 pm, Hamish Moffatt <hamish@moffatt.email> wrote:
DNSSEC proves that the answer has not been tampered with. It does not prevent
eavesdropping, but DNS over HTTPS or DNS over TLS do.
Yes, and neither of these have been rolled out to retail or domestic systems.
They are both difficult to actually use. Also probably not everyone has a
certificate for their DNS, so I'm not sure of the coverage of DNSSEC.
And governments are systematically poisoning local DNS servers.
For clients, if you use 1.1.1.1 for your DNS servers then you have
DNSSEC validation. Easy. That same service also supports DNS over HTTPS,
but client support for that is not widespread. It's going to be in
Firefox soon though, if it isn't already.
For domains, DNSSEC seems a bit harder unfortunately because lots of the
big DNS hosts don't support it, like Amazon Route53. APNIC have some
interesting posts on the topic, including
https://blog.apnic.net/2017/06/28/isnt-everyone-using-dnssec/
https://blog.apnic.net/2017/12/06/dnssec-deployment-remains-low/
You also need encrypted SNI, which is almost non-existent so far.
https://encryptedsni.com has some interesting test tools.
Hamish
_______________________________________________
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link