IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [dnssec]

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS.

Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for digitally signed DNS. Originally defined by RFC 2065 in 1997, it is currently governed by a set of close to a dozen of distinct RFCs.

132 questions
35
votes
3 answers

If DNSSEC is so useful, why is its deployment non-existent for top domains?

I've read several papers on DNSSEC, and it appears that it does prevent many attack classes, and the only two possible downsides is that its deployment is hard (DNSSEC is complex), and that you can walk DNSSEC records and find out all records in…
haimg
  • 515
  • 1
  • 4
  • 7
26
votes
2 answers

If DNSSEC is so questionable, why is it ahead of DNSCurve in adoption?

Looking at all the people who question the viability of DNSSEC, it's no wonder that the adoption rates are so poor. However, what about DNSCurve? It supposedly fixes all the DNS security and privacy problems independent of DNSSEC, doesn't suffer…
cnst
  • 1,954
  • 3
  • 19
  • 30
11
votes
1 answer

Why can't we bypass DNSSEC

DNSSEC is a suite of security extensions to enhance DNS security. (e.g.: avoid cache poisoning) However I was wondering how does the resolver know that the next NS will use DNSSEC? E.g.: Someone wants to resolve www.example.com.. Let's assume that…
Posterrr57
  • 111
  • 2
10
votes
1 answer

Non-validating DNSSEC aware client security implications

I understood that Windows 7 and newer Windows clients are DNSSEC aware, but that they are non-validating. That means that they are not performing any DNSSEC validation, but that they can require the DNS server to perform DNSSEC validation. When the…
pineappleman
  • 2,299
  • 12
  • 22
10
votes
1 answer

How to get started with DNSSEC?

I have been assigned the task of improving security of a specific service. After some analysis of the requirements we have come to the conclusion, that a certain aspect of the specified requirements can only be met through the use of DNSSEC. I have…
user67689
  • 101
  • 4
8
votes
3 answers

Is there a way to use DNS to block access to my domain?

I manage a few dozen servers that are publicly accessible and must remain so. I see very large volumes of malicious traffic on all of these servers. The malicious traffic starts as port scans (identified by scanlogd) and progresses to a combination…
grenade
  • 183
  • 6
5
votes
3 answers

Why does DNSSEC have a ridiculous keysigning ceremony?

Every three months, 7 people fly to a secure ICANN server building and go through an elaborate ceremony to generate a new signing key for DNSSEC. The entire affair appears to be based on politics and not any real security model. If the private…
Indolering
  • 862
  • 6
  • 21
4
votes
2 answers

DNSSEC: Does the algorithm of the ZSK need to match the algorithm of the KSK?

I am in the process of setting up DNSSEC for my domains. Initially I was going to go with algorithm 13 (ECDSA-P256-SHA256), but it seems that dyn.com doesn't allow me to add a DS record with an algorithm value of 13. (Would love some insight as to…
Robert Quattlebaum
  • 205
  • 1
  • 10
3
votes
1 answer

Value of DNSSEC with allow-downgrade option

Does setting up DNSSEC in client (systemd-resolved) with allow-downgrade option have any value? Does it improve security at all?
wilx
  • 201
  • 2
  • 9
2
votes
1 answer

What if a resolver doesn't support DNSSEC?

I've been reading about DNSSEC lately and had a question about DNS-Resolvers installed elsewhere on the internet. If a client is using a DNS-Resolver that doesn't support DNSSEC will it fall back to using using non-secure DNS? Is this the norm now,…
Contego
  • 145
  • 1
  • 2
  • 5
2
votes
1 answer

Why is it dangerous for attackers to be able to enumerate all subdomains of a given domain?

While it seems like a bad idea for attackers to be able to use DNSSEC to enumerate subdomains, I cannot think of a specific attack that this information enables, which would not be doable without this information.
Merlin
  • 21
  • 1
2
votes
1 answer

Can someone please confirm one of these explanations of the DNSSEC chain of trust?

Let me apologize in advance for this question has been answered. I did have a good look and if it is here somewhere I missed it. My question hopes to clarify exactly what happens when a validating resolver queries a DNSSEC aware nameserver for a RR.…
peter829
  • 21
  • 1
2
votes
2 answers

Possible to prevent/limit caching of DNSSec records?

I am looking at the SmartCache service of OpenDNS where it caches authoritative responses. From a client perspective, is there any way I can use a recursive DNS resolver to determine if the record is cached, and if so for how long? From a server…
makerofthings7
  • 50,918
  • 55
  • 261
  • 556
2
votes
1 answer

How does DNSSEC work?

How does my OS or browser knows to check for DNSSEC? How does the verification process works? Do I need a key from Comodo/Verisign? Do I need to install something to my hosting? What happens in men in middle attack? I have a man in middle attack…
ilhan
  • 415
  • 2
  • 4
  • 10
1
vote
0 answers

How to validate DNSSEC signatures - zone cuts?

RFC 4035, section 5.3.1 lays out the rules for validating DNSSEC RRSIG records: The RRSIG RR and the RRset MUST have the same owner name and the same class. The RRSIG RR's Signer's Name field MUST be the name of the zone that contains the…
R.. GitHub STOP HELPING ICE
  • 8,440
  • 1
  • 25
  • 36
1
2