IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS.

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS. Originally defined by RFC 2065 in 1997, it is currently governed by a set of close to a dozen of distinct RFCs.

125 questions
5
votes
2 answers

With DNSSEC, is there any benefit in DANE for a CA- issued Cert?

I just deployed DNSSEC at val-id.com and getvalid.com Since DNSSEC is a requirement of DANE, and I have a CA-based certificate, can I show my support for DANE-based deployments by publishing my CA-based cert into DNS? My concern is consistency in…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
2 answers

DNSSec vs SSL and IPsec

Theoretically, DNS cache poisoning shouldn't matter,because everything important is protected by SSL and IPsec. So why DNSSec was developed? Aren't the first two protocols sufficient?
Black
  • 81
  • 2
5
votes
0 answers

What's stopping DANE?

As I understand it, DANE (RFC 6698) is a promising candidate for addressing issues with current TLS Trust Anchors (i.e. Trust Anchors). My attempt at explaining the issue: Currently, CAs are universal trust anchors and, as a result, are permitted to…
msuozzo
  • 268
  • 2
  • 7
5
votes
1 answer

Is DNSSEC immune to stripping signatures?

In my opinion, it should be possible to forge DNS reply so it doesn't include DS/RRSIG/... parts for any request, thus bypassing DNSSEC validation of resolved domain. Is DNSSEC system immune to this kind of attack? Does Unbound with locally stored…
Marek Sebera
  • 2,223
  • 3
  • 20
  • 27
5
votes
3 answers

Why does DNSSEC have a ridiculous keysigning ceremony?

Every three months, 7 people fly to a secure ICANN server building and go through an elaborate ceremony to generate a new signing key for DNSSEC. The entire affair appears to be based on politics and not any real security model. If the private…
Indolering
  • 852
  • 6
  • 21
5
votes
2 answers

Do you need DNSSEC if you use HSTS?

I'm trying to understand the benefits of DNSSEC. If a user goes to my site example.com and the DNS cache was poisoned redirecting the user to the bad guy's IP, what would happen? I've enabled HSTS. My understanding is the user would see the 'Your…
Peter Brumby
  • 53
  • 3
5
votes
1 answer

How DNS hijacking was myetherwallet.com fault even though AWS DNS server was hijacked yesterday

I have been reading on how myetherwallet was hacked a day ago because Amazons domain service was compromised, as mentioned here, https://www.reddit.com/r/ethereum/comments/8ek86t/warning_myetherwalletcom_highjacked_on_google/ The title is…
curiator
  • 51
  • 1
5
votes
3 answers

How can I (preferably metaphorically) explain DNSSEC without technical jargon?

How can I explain a non-technical person the purpose of Domain Name System Security Extensions (DNSSEC) and the risks of not using DNSSEC? It would be nice to use a metaphor, so that it's also easy to remember for a non-technical person.
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
5
votes
1 answer

Kaminsky Bug Exploitation

I am trying to exploit the Kaminsky bug for a school assignment. The specific version of the bug that I want to exploit is sending a forged packet with false information about www.domain.com so that all users attempting to access www.domain.com com…
Mrjaco12
  • 153
  • 2
4
votes
3 answers

What types of attacks and abuse does DNSSEC protect against?

I've read lots of different articles on what DNSSEC is and that it provides authentication for DNS. What I unfortunately haven't seen is a good description of the types of attacks and abuse that DNSSEC can prevent/mitigate. With most of my own…
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
4
votes
2 answers

DNSSEC: Does the algorithm of the ZSK need to match the algorithm of the KSK?

I am in the process of setting up DNSSEC for my domains. Initially I was going to go with algorithm 13 (ECDSA-P256-SHA256), but it seems that dyn.com doesn't allow me to add a DS record with an algorithm value of 13. (Would love some insight as to…
darco
  • 205
  • 1
  • 10
4
votes
1 answer

My DNS Name Server does not support DNSSec client queries, what alternatives do I have?

I am using a web browser to access DNSSec enabled sites. My current name server doesn't (won't) support DNSSec for at least a year. What are my alternatives? Do any ISPs currently offer DNSSec? Any other viable secure companies?
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
1 answer

How will users know if their session is DNSSec protected or not?

There is definite security value in having DNSSec-verified connections, however I have yet to see software indicate if the connection is secure. Ultimately I would like my users to recognize that DNSSec is a more secure solution, and prefer it or…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
1 answer

Does DNSSEC provide signed statements that a certain domain does NOT yet support DNSSEC? If not, why not?

In my security class with David Wagner, we talked about some of the reasons why DNSSEC is not widely adopted right now. One of the reasons was that for backward compatibility reasons, clients need to accept both signed DNS records and unsigned ones.…
Curious Student
  • 41
  • 3
4
votes
1 answer

How to verify DNSKEY by using its corresponding DS

A DNSKEY on a name server can be verified by using it DS stored on its parental name server. According to RFC4034: The DS record refers to a DNSKEY RR by including a digest of that DNSKEY RR. The digest is calculated by concatenating the canonical…
Rad
  • 171
  • 1
  • 6
1 2
3
8 9