**Tim W** @tw · 2017-12-27T00:37:53Z

Tim W @tw

I'm bored. Ask me questions about #infosec, #dns, #entrepreneurship, #google, or anything else, I'll be around the next ~2 hours! #AMA

(More topic ideas in my pinned posts, probably.)

Dec 27, 2017, 00:37 · 1 · 0

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:16

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:16

@tw why do people still think DNSSEC has any tangible value. It’s garbage.

**Tim W** @tw · Dec 27, 2017, 17:22

**Tim W** @tw · Dec 27, 2017, 17:22

@feld I would argue it does in fact do what it says it does, it's just... extremely difficult to get it to do that correctly, perhaps?

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:24

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:24

@tw unless every client device on the planet runs their own DNS recursor with DNSSEC validation it provides very little value in the real world

**Tim W** @tw · Dec 27, 2017, 17:28

**Tim W** @tw · Dec 27, 2017, 17:28

@feld DNSSEC is one area of DNS I never dived very deeply into; that said, it is my understanding (wave hands, wave hands) that a validating client (which doesn't have to be a full recursive resolver) still gains protections from a signed zone.

**Tim W** @tw · Dec 27, 2017, 17:24

**Tim W** @tw · Dec 27, 2017, 17:24

@feld I definitely do agree that the implementation / trying to actually deal with it is garbage though.

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:27

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:27

@tw I think it’s the wrong place in the stack to try to do authentication. Most DNS attacks are going to be against clients / browsers so as long as you’re using HTTPS you’re fine. The difficulty in forging TLS today is extremely high.

I much prefer dnscrypt which gives me a protected path to a recursor I can trust has strong security controls and monitoring for tampering / poisoning.

**Tim W** @tw · Dec 27, 2017, 17:29

**Tim W** @tw · Dec 27, 2017, 17:29

@feld dnscrypt is really complementary to DNSSEC in that way - it's preventing the MITM between you and the resolver, and DNSSEC is preventing MITM between the resolver and whatever you're looking up.

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:34

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:34

@tw kind of, but it doesn’t work that way in practice. The client using the recursor through dnscrypt still has to request DNSSEC records or they won’t be used and verified. So no good for most use cases, especially mobile clients.

**Tim W** @tw · Dec 27, 2017, 17:30

**Tim W** @tw · Dec 27, 2017, 17:30

@feld "as long as you're using HTTPS you're fine" presupposes a non-broken certificate authority system, unfortunately.

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:32

**feld ☕️ is good** @feld@bikeshed.party · Dec 27, 2017, 17:32

@tw it’s not broken anymore with Certificate Transparency