IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS.

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS. Originally defined by RFC 2065 in 1997, it is currently governed by a set of close to a dozen of distinct RFCs.

125 questions
10
votes
2 answers

Storing SSL certificates in DNS records

Why not get rid of all certificate authorities and all the special kind of SSL certificates there are (extended validation etc. etc.) and instead just require anyone who wanted SSL to write their own self signed SSL certificate and then have them…
jake192
  • 367
  • 2
  • 8
10
votes
1 answer

Is DNSSEC really useless if TLS is properly configured?

I was reading this article http://sockpuppet.org/blog/2015/01/15/against-dnssec/ and this line caught my eye, "With TLS properly configured, DNSSEC adds nothing." My gut reaction was to disagree, but the more I thought about it, I realized I…
mercurial
  • 898
  • 1
  • 9
  • 17
9
votes
2 answers

Does DNSSec have any benefit if used with IPSec-enabled IPv6?

I'm not sure if the RFC's support a IPSec-only implementation of DNS, but if it does, what does that mean for DNSSec? Is DNSSec an IPv4-only technology?
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
9
votes
2 answers

Is the Google address being spoofed on my computer?

I might use some inappropriate terminology because I am no expert, but please feel free to correct me where it is needed. I believe that a process has modified some network file on my computer, like the hosts file, in order to reroute my Google…
Klik
  • 203
  • 1
  • 5
9
votes
1 answer

How to obtain privacy and authenticity with DNS?

I use pfSense (Unbound) as my local resolver. Historically I've pointed it at root recursive resolution, because I perceived my main threat as trustworthiness and recency of data (poisoned/invalid DNS) and local ISP DNS tracking. (I don't know if…
Stilez
  • 1,664
  • 8
  • 13
7
votes
1 answer

Does DNSSEC still have the "enumerate all names in zone" problem?

According to Wikipedia: DNSSEC introduces the ability for a hostile party to enumerate all the names in a zone by following the NSEC chain. NSEC RRs assert which names do not exist in a zone by linking from existing name to existing name…
lepe
  • 2,184
  • 2
  • 15
  • 29
7
votes
3 answers

Is the Kaminsky bug still a problem for sites without DNSSEC?

I have read about the Kaminsky bug, but I don't fully understand how easy it is to use this vulnerability for an attacker. Are DNS-software updated now so it's not that easy to use this vulnerability for an attacker? or does a secure site need to…
Jonas
  • 5,063
  • 7
  • 32
  • 35
7
votes
2 answers

Is there an HSTS equivalent for DNSSec?

Is there any way to set a DNSSec-always policy similar to how HSTS commands Web Browsers to always use HTTPS? This would mitigate a DNSSec-strip attack (similar to SSLStrip) I'm also unclear if this would apply to IPSec, where security is mandatory,…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
1 answer

What is the status of forced HTTPS everywhere (Strict transport security) via DNS? I only see the July 2010 draft

I'm trying to find the most recent RFC on HSTS in DNS (or rather said DNSSEC), but can only find this year old one in expired draft status Where can I find the most current guidance on STS in DNS? If it's not available yet, how can I keep informed…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
7
votes
1 answer

Does dnssec protect against malicious registrars?

With the recent conspiracy theories around the registrar MarkMonitor Inc., the question arises, if DNSSEC protects against a registrar going malicious (or being attacked). This is especially interesting in the context of SSL certificates. At the…
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
7
votes
2 answers

Opt into strict DNSSEC checking - does DNSSEC provide a way for a zone to request strict signature validation?

Is there a way for a domain good.com to promise that it will sign all of its DNS records, and that any unsigned records for any host *.good.com should be rejected? In other words, is there a way for a zone to provide a signed statement indicating…
D.W.
  • 98,420
  • 30
  • 267
  • 572
7
votes
2 answers

Can you force your PC or device to use only DNSSec-verified lookup results?

Okay, I'll admit something first-off: I don't really understand some of the practical aspects of how DNSSec protections work very well.(Even after reading resources like this.) Well, I certainly understand why anti-spoofing protections for DNS…
mostlyinformed
  • 2,715
  • 16
  • 38
6
votes
2 answers

How does a client know that a DNS zone is DNSSEC protected?

Recently, I've been reading about DNSSEC and how it works. I found other questions and some very interesting answers on this and other websites related to this matter. However, I have a question to which I couldn't find an answer anywhere: how can a…
Filipe Gonçalves
  • 163
  • 6
6
votes
1 answer

How to test the validity of DNSSEC from a command line interface?

I am doing a research project on The Domain Name System Security Extensions (DNSSEC). I have a SOA, Stub resolver and a client as well as a attack machine. My question is this. Is there a way to test the validity of the record, after a DNS…
anzenketh
  • 61
  • 1
  • 3
6
votes
2 answers

Can NSEC domain enumeration happen for zones with wildcard records?

In DNSSEC, NSEC records are used to provide proof of nonexistence. The trouble is that these records provide pointers to existent domain names (the closest known domain in either direction) constructing a chain that can be "walked" to eventually…
chao-mu
  • 2,801
  • 18
  • 22
1
2
3
8 9