0

Google Domains' DNS management has a link that says Enable DNSSEC. And, as I understand it, this prevents spoofing of DNS responses. And, that sounds great!

So, why wouldn't I want to enable DNSSEC?

  • Does it prevent me from using local overrides (/etc/hosts) for testing?
  • Does it prevent older clients from performing DNS queries for the domain?
  • Is it noticeably slower?

Etc.

I realize that in some cases, DNSSEC might incur some administrative/signing-key-management overhead, etc. I don't know the details in full, but, to the best of my knowledge, this is a case where Google, being both the registrar and DNS provider, manages all of that. I am presented simply with a link that says, Enable DNSSEC. When I click it, it tells me it it's "on" and might take 24 hours to propagate...

Given that the Google seems to manage all of the complexity, What are the reasons I might want to leave it off?

svidgen
  • 711
  • 5
  • 13
  • 3
    This is both too wide and kind of subjective. There are a lot of others questions on DNSSEC already in StackExchange. For your 3 specific points: No (because your OS consults the file even before doing DNS queries), No (there are not old/new clients, just clients validating DNSSEC or not validating; those not validating just don't have the guarantees provided by DNSSEC), and probably No (not anymore). But there are many other points. For authoritative nameservers the problem is maintenance. For recursive ones the problem is about the support queries (see the famous NASA/Comcast problem). – Patrick Mevzek Jun 17 '20 at 17:33
  • @PatrickMevzek So, why would a DNS provider even offer the option for customers *not* to use DNSSEC? – svidgen Jun 17 '20 at 19:03
  • 1
    [The NASA/Comcast problem](https://www.internetsociety.org/blog/2012/01/comcast-releases-detailed-analysis-of-nasa-gov-dnssec-validation-failure/) to those curious: NASA enabled DNSSEC but with invalid signatures, and Comcast blocked DNS responses from NASA servers (as the protocol requires). People thought Comcast were blocking NASA... – ThoriumBR Jun 17 '20 at 19:11
  • "So, why would a DNS provider even offer the option for customers not to use DNSSEC? " If you mean on the authoritative side, comparing DNSSEC to non DNSSEC: more work in maintenance (generating keys and signatures, rotating them), more security headaches (protection of private keys, use of an HSM, etc.) and more customer service (for DS communications to parent which needs to be through current registrar) as this part is really not documented. For example Route53 does not provide it. But only they can reply to you why they specifically don't do it, there could be various reasons. – Patrick Mevzek Jun 17 '20 at 19:48
  • @ThoriumBR Thanks to have added the link on NASA/Comcast problem, I was lazy. But to be precise, it is not "Comcast blocked DNS responses from NASA servers" it is just that NASA authoritative servers were not giving proper DNSSEC content (expired signatures), hence Comcast recursive nameservers HAD TO reply with NXDOMAIN DNS responses to queries, which for clients is the same as "this domain does not exist" hence they were not able to access it, blaming Comcast, where NASA was to blame in fact, but the layman can not understand that. And should not have to. – Patrick Mevzek Jun 17 '20 at 19:51
  • I just don't understand why my DNS provider (or whatever you call it -- *google domains*) give *me* the option to turn it on/off. It's just an enable/disable button. If it's more secure, why would I as the one who's job is limited to clicking a button ever *not* want to click the button!? (I.e., I don't have to manage anything other than *the decision to turn it on.* ... "Do you want your domain to be secure?" ... why might I say, "no?" Is there a cost *to me* that I'm not seeing?) – svidgen Jun 17 '20 at 19:52
  • @ThoriumBR Ok, I glossed over that link the first time ... and I don't think it actually showed in my search results, oddly enough. Is the zone-mapping concern the extent of the reasons I'd want to avoid this? (Assuming it's just a single button click for me to enable?) – svidgen Jun 17 '20 at 20:05
  • "It's just an enable/disable button." No it is more complicated than that. If your registrar is also your DNS provider then it could be in charge of sending the DS records to the registry. BUT if you are using an external DNS provider then YOU will be in charge, through your registrar to send the DS records "regularly", like yearly. This is a burden. You seem to be conflating a generic question (DNSSEC anywhere) with a specific one just for your use case ( DNSSEC with my current registrar and DNS provider). Your edit makes that now clearer, but it wasn't in your first post. – Patrick Mevzek Jun 17 '20 at 20:12
  • @PatrickMevzek Yep. I realize now my post didn't explain the situation well enough and where the confusion is ... – svidgen Jun 17 '20 at 20:46
  • The linked question as duplicate of this is almost 9 years old so are its answers and things have changed since then... – Patrick Mevzek Jul 21 '20 at 16:33

0 Answers0