Questions tagged [dnssec]

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS.

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS. Originally defined by RFC 2065 in 1997, it is currently governed by a set of close to a dozen of distinct RFCs.

125 questions
32
votes
2 answers

DNS zone transfer attack

Can anyone explain what is DNS zone transfer attack or give any link, paper? I have already googled, but could not find anything meaningful.
user6809
31
votes
3 answers

If DNSSEC is so useful, why is its deployment non-existent for top domains?

I've read several papers on DNSSEC, and it appears that it does prevent many attack classes, and the only two possible downsides is that its deployment is hard (DNSSEC is complex), and that you can walk DNSSEC records and find out all records in…
haimg
  • 475
  • 4
  • 7
30
votes
3 answers

How does DNSSec work? Are there known limitations or issues?

Based on information from this site, DNSSec is needed to protect us from a number of DNS and SSL / TLS hacks, including: DNS spoofing, especially on wifi or shared medium Registrars that abuse their trust and insert invalid data into the root…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
26
votes
2 answers

If DNSSEC is so questionable, why is it ahead of DNSCurve in adoption?

Looking at all the people who question the viability of DNSSEC, it's no wonder that the adoption rates are so poor. However, what about DNSCurve? It supposedly fixes all the DNS security and privacy problems independent of DNSSEC, doesn't suffer…
cnst
  • 1,884
  • 2
  • 19
  • 30
18
votes
4 answers

Does Tor Hidden Service Protocol provide more threat protection than a standard HTTPS session?

DuckDuckGo is a search engine that has a Tor Exit Enclave and hidden service. This site is focused on the safe, secure searching of its users. Since DNS is not used in Tor, it appears that HTTPS is less secure due to its reliance on…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
17
votes
4 answers

DNSSec (Comcast) vs DNSCurve (OpenDNS)

I was previously using OpenDNS on my internal network. I found out today that Comcast has switched over to DNSSec: Comcast DNSSec. I've done a little research on DNSSec and its benefits. I understand the basics of DNSSec. Pretty much DNSSec signs…
coding4fun
  • 303
  • 2
  • 6
16
votes
2 answers

Why do browsers or operating systems not have default DNSSEC validation?

Many resolvers (including TLDs and Root TLDs) support DNSSEC, also Google's OpenDNS servers support it. Yet it isn't checked on the client side by default. Why is this?
whatever489
  • 838
  • 3
  • 9
  • 21
14
votes
2 answers

DNSSEC signing algorithms

Virtualmin supports a flurry of algorithms for DNSSEC: RSASHA1, RSASHA256, RSAMD5, DSA, DH, HMAC-MD5(???), NSEC3RSASHA1, NSEC3DSA. If I understand correctly, there's Proof of Concept available for SHA1 being easy to compromise when used with DKIM,…
taddy hoops
  • 247
  • 2
  • 12
14
votes
3 answers

Why is RFC4255 (SSHFP) not used for https?

I had this idea a few hours ago, but of course it already exists and there is even an RFC... Why don't we publish the fingerprint for the SSL/TLS certificate via DNS? We need DNSSEC to make sure the answer is legit and we need to make sure the…
Luc
  • 31,973
  • 8
  • 71
  • 135
14
votes
2 answers

What problem does DNSSEC solve?

I have read through the questions tagged DNSSEC on this site, and over the years you hear statistics about DNSSEC adoption and about organizations enabling it on their domains... but nobody mentions what they are actually trying to solve. Well, that…
Luc
  • 31,973
  • 8
  • 71
  • 135
12
votes
2 answers

When using https but not DNSSEC, under what situation, a client is vulnerable?

So DNSSEC is to ensure that returned IP address is not poisoned. And https is to verify the remote server. My question is that when protected by https, under what circumstances, a client is vulnerable? Say I go to https://www.facebook.com, even if…
Eniaczz
  • 123
  • 4
12
votes
3 answers

Should the average user care about DNS security?

Denise is an average user who goes with the default settings of her OS and home router. She knows that her browser and email client use DNS and she's worried because I told her that the DNS protocol has no built-in security. Are there sensible…
Arminius
  • 43,922
  • 13
  • 140
  • 136
11
votes
1 answer

Why can't we bypass DNSSEC

DNSSEC is a suite of security extensions to enhance DNS security. (e.g.: avoid cache poisoning) However I was wondering how does the resolver know that the next NS will use DNSSEC? E.g.: Someone wants to resolve www.example.com.. Let's assume that…
Posterrr57
  • 111
  • 2
10
votes
1 answer

Non-validating DNSSEC aware client security implications

I understood that Windows 7 and newer Windows clients are DNSSEC aware, but that they are non-validating. That means that they are not performing any DNSSEC validation, but that they can require the DNS server to perform DNSSEC validation. When the…
pineappleman
  • 2,279
  • 11
  • 21
10
votes
1 answer

How to get started with DNSSEC?

I have been assigned the task of improving security of a specific service. After some analysis of the requirements we have come to the conclusion, that a certain aspect of the specified requirements can only be met through the use of DNSSEC. I have…
user67689
  • 101
  • 4
1
2 3
8 9