undefined | Better HN

0 pointsphicoh7y ago0 comments

The reason DNSSEC is vulnerable to that kind of MITM attack is because browsers refuse to do client side validation.

For privacy reasons, DNS over TLS and DNS over HTTPS are still a good idea. So even with DNSSEC you would need one of those.

0 comments

3 comments · 1 top-level

tptacek7y ago· 2 in thread

Browsers tried to do DNSSEC validation. It didn't work. DNSSEC features in Chrome, OS X, and Firefox were rolled back.

Also: it is part of the architecture of DNSSEC for clients not to do full validation, which requires that they act as their own recursive resolvers and eliminates shared caches.

phicohOP7y ago

Any pointers to which browser versions did do DNSSEC validation and is there any documentation of what didn't work? My experience with running the validator plugin for a couple of years is that it just works.

Obviously, in the early days of DNSSEC there were more improperly signed zones. But since Google's public resolvers do DNSSEC validation, that is mostly a thing of the past.

Then there might be the rare case of middle boxes breaking DNSSEC, but as far as I can tell, that is extremely rare.

There is no connection between DNSSEC validation and being a full recursive resolver. You can easily have a stub resolver that does DNSSEC validation. Or, if it is easier, have a local validation recursive resolver that forwards to another recursive resolver.

tptacek7y ago

Google [why not dane in browsers].

1 more reply

j / k navigate · click thread line to collapse