DNSSEC general
Images are sometimes not shown due to bandwidth/network limitations. Refreshing the page usually helps.
You are currently reading a thread in /g/ - Technology
You are currently reading a thread in /g/ - Technology
Going to try this again.
Who DNSSEC[1][2] here? Why do you use it? What do you use it for? Have you considered TLSA (DANE[3]), SSHFP[4], OPENPGPKEY[5] RRs yet? Discuss.
There's also an interesting new IETF draft, SMTP STS[6]. Would be interesting to secure your MTA more.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-08
[6] https://tools.ietf.org/html/draft-margolis-smtp-sts-00
No one? Come on, leave the consumer threads for a moment.
DNSSEC has some some serious design weaknesses, but DANE is okay as a means of additionally constraining public key sets (I do not trust it fully due to the .gov owned roots).
I've deployed elliptic curve DNSSEC using djbdns tinydns/axfrdns. My patches are here: hhttps://github.com/qrmn/tinydnssec
>>53731233
>DNSSEC has some some serious design weaknesses, but DANE is okay as a means of additionally constraining public key sets (I do not trust it fully due to the .gov owned roots).
Which DANE does not necessarily rely on. PKIX path validation is optional.
>I've deployed elliptic curve DNSSEC using djbdns tinydns/axfrdns. My patches are here: hhttps://github.com/qrmn/tinydnssec
That's pretty cool, mate. How does djbdns compare to BIND or NSD, though? djb also created DNSCurve, which I think is very useful for queries. I would really like encrypted lookups in DNS, but it isn't standardised...
>>53730607
Good thread OP. Make this thread more often.
Also include how to use DNSSec for the newfags
>>53733319
Thanks, and that's a good idea. Sadly not all registrars offer DNSSEC, but I'll think of something for next thread.
>>53730607
DNSSEC or DNSCurve?
free bump, good thread
>>53733423
Whichever one you prefer, there's also DNSCrypt, which is similar to DNSCurve in that it encrypts the resolving process. It's currently being packaged for the next Debian release as well[1].
I'm considering renaming this thread to DNS general, with an emphasis on security.
[1] https://packages.debian.org/search?keywords=dnscrypt&searchon=names&suite=all§ion=all
Is my understanding of DNSSEC somewhat correct? Basically a root cert, signing the TLDs, signing lower level names, ...? I don't feel like reading the RFC right now.
If so, who owns the root cert(s)? It's not Verisign or some shit, is it?
>>53735560
Yes, your understanding is basically correct. And no, the root key signing key (KSK) does not belong to a commercial party like Verisign.
The DNSSEC root KSK is a joint effort by ICANN selected Trusted Community Representatives: https://www.iana.org/dnssec/tcrs
>>53730607
What servers for ausfags?
Does it not see your destination in the last hop?
>>53735815
You mean which ccTLD is assigned to Australia? I believe that's .au. See https://en.wikipedia.org/wiki/.au
>>53735867
What do you mean?
