undefined | Better HN

0 pointstptacek2mo ago0 comments

Leaving aside that you applied the word "easy" to DNSSEC, how do you mean? How does DNSSEC solve the problem being discussed?

0 comments

3 comments · 1 top-level

azernik2mo ago· 2 in thread

It was a somewhat flippant (given that GitHub doesn't implement DNSSEC either) dig at the idea of using hand-entered/hand-updated IP addresses for access control, rather than having the access control system look addresses up in the system designed to securely attest owner/ip mappings.

tptacekOP2mo ago

(Almost nobody signs zones.) How is that any easier than just having an https:// URL from which you pull an (arbitrarily-formatted) list of IP addresses to block? Is the idea that you'd otherwise be able to do real-time DNS lookups on incoming IP addresses?

azernik2mo ago

Yes - delay SYNs until an authenticated reverse lookup confirmed the IP was owned by a trusted domain. With caching to reduce common-case latency, which would otherwise be intolerable.

1 more reply

j / k navigate · click thread line to collapse