[GTALUG] CIRA officially launches free DNS firewall for consumers | IT World Canada News
Sadiq Saif
lists at sadiqsaif.com
Tue Apr 28 10:07:39 EDT 2020
On 2020-04-28 09:16, ac via talk wrote:
> On Tue, 28 Apr 2020 08:13:11 -0400
>
> How about just plain old DNSSEC?
> (instead of a nanny) - yay, IT Works! - and is so mature
> already...(without all the risks of having/using a nanny)
DNSSEC and DNS-over-HTTPS/DNS-over-TLS are not the same thing and don't
protect against the same threats.
DNSSEC protects against DNS cache poisoning by verifying the digital
signature and therefore integrity of the zone's contents. That is, it
provides authentication not encryption.
DOH/DOT provides transport level encryption of the contents of the DNS
packets themselves from the host to it's resolver. This provides
protection against packet snooping on the wire, for example on an
unsecured WiFi connection.
> and using connectivity providers (instead of third parties and dns over
> https) -- for caching/recursive, like Bell (Bell CA actually does not
> track/record/monetise their users DNS querries afaik)
I would love if Bell.ca offered DOH/DOT service on their
recursive/caching resolvers.
> again, dnssec already protects users, it just needs wider adoption,
> which is the issue.. .as for "shared" domains like outlook.com - abuse
> management costs will increase? - which is probably why dnssec has
> never caught on, it is not "sexy" (like some nannies...)
DNSSEC adoption is indeed a problem. IMHO, this is because it is a pain
to implement properly and provides little benefit to the user of the
zone in most cases. Improperly signing a zone will result in it not
resolving which is one hell of a failure mode for most people to put up
with. I only recently started signing my domains again and that is only
because my managed DNS provider made it very simple, as in I click a
button, zone is signed and I add the ZSK digest to my domain registrar.
Further reading on DOH/DOT and DNSSEC:
DNS Wars by Geoff Huston
https://blog.apnic.net/2019/11/04/dns-wars/
DNSSEC
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
--
Sadiq Saif
https://sadiqsaif.com
More information about the talk
mailing list