 |
Post AT9GDIan9LaxDjCSSu by [email protected] |
 |
More posts by [email protected] |
|
Post #AT7KVWol0hgk3IlCOu by [email protected] |
|
0 likes, 2 repeats |
|
|
|
So apparently "DNSSEC bad!!" FUD takes are still a thing, so--A 🧵 … |
|
|
|
Post #AT7KVWu4gvwSJnFRgm by [email protected] |
|
0 likes, 0 repeats |
|
|
|
OK, first "US gov, Five Eyes, ZOMG they have the root keys!!"Any PKI … |
|
|
|
Post #AT7KVWygPnd0Y5P7s8 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
With DNSSEC, any forgery event carries with it irrefutable cryptographic eviden… |
|
|
|
Post #AT7KVX2aBIkOkBEEwy by [email protected] |
|
0 likes, 0 repeats |
|
|
|
OK, now apparently DNSSEC is "a reliability nightmare" because your d… |
|
|
|
Post #AT7KVX7BuAQwyTNv8K by [email protected] |
|
0 likes, 1 repeats |
|
|
|
Also apparently DNSSEC "doesn't address any threats" and is a &qu… |
|
|
|
Post #AT7KVXfDrdeig1J6B6 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
The right way to use DNS/DNSSEC in 2023 is to have 127.0.0.1 in resolv.conf (or… |
|
|
|
Post #AT7KVYGnbviIYYt6kS by [email protected] |
|
0 likes, 0 repeats |
|
|
|
But even if you're not validating DNSSEC on the client side, DNSSEC still h… |
|
|
|
Post #AT7KVYrfOrCiOu8YDI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
The biggest benefit of DNSSEC even for folks who don't validate, though, is… |
|
|
|
Post #AT7KVZRTFjqOBwt91M by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And since there are some gigantic number of garbage CAs out there, you only hav… |
|
|
|
Post #AT7KVa3kxOT86gnihE by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Smart folks realized that CAs issuing certificates they shouldn't was a big… |
|
|
|
Post #AT7KVaXt9MZVc8tmfA by [email protected] |
|
0 likes, 1 repeats |
|
|
|
If CT ledgers upped their game to require inclusion of the set of DNS records, … |
|
|
|
Post #AT7KVb8kwI3vSU9E80 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
DNSSEC is the key ingredient to getting the dumpster-fire WebPKI CA system to a… |
|
|
|
Post #AT972bSrkBySyjJlR2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
So yes, DNSSEC addresses and resolves specific threats, particularly gaps in th… |
|
|
|
Post #AT972bXTT3f1D1TRcO by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Now, the next concrete threat DNSSEC solves: email interception!Normally, TLS f… |
|
|
|
Post #AT972bcn9HujTVxguG by [email protected] |
|
0 likes, 0 repeats |
|
|
|
DANE adoption is only so-so, thanks largely to Google and Comcast pushing their… |
|
|
|
Post #AT972c6ZMZjWxrtTJw by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@dalias Shame that Microsoft still are failing to prompt new fully-M365-hosted … |
|
|
|
Post #AT972cdtMgO8dDU5GC by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And that brings me back to DNSSEC's and DANE's deployment success! Desp… |
|
|
|
Post #AT972dajptSZZj14z2 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
And "small web" style mail servers, especially personal ones, are one… |
|
|
|
Post #AT972e9pjPX5KZR6ga by [email protected] |
|
0 likes, 0 repeats |
|
|
|
One really cool and underappreciated (and even little known) property of DNSSEC… |
|
|
|
Post #AT972er58c7xUhfe64 by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Recall that, because CAs issue certs for your HTTPS sites based on trusting you… |
|
|
|
Post #AT972faoOahtmX4ANM by [email protected] |
|
0 likes, 0 repeats |
|
|
|
Now, there are lots of clever things you can do with this property! That is, th… |
|
|
|
Post #AT9Bl1kRmcZB3Oynui by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@SecurityWriter @shelldozer The spec is that absence of SPF is equivalent to ?a… |
|
|
|
Post #AT9ED1ZIFHDiVqExuK by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@SecurityWriter @shelldozer My thoughts are that you should honor what the send… |
|
|
|
Post #AT9ED1tr0pfPXbrNxI by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@SecurityWriter @shelldozer What I really don't like is DMARC, which govern… |
|
|
|
Post #AT9GDIan9LaxDjCSSu by [email protected] |
|
0 likes, 0 repeats |
|
|
|
@SecurityWriter @dalias When dealing with orgs that know what they are doing, a… |
