undefined | Better HN

0 pointstptacek5y ago0 comments

DNSSEC can only distinguish valid from invalid NXDOMAINs on signed zones. A tiny, tiny minority of zones in .COM, .NET, .ORG, and .IO are signed. Installing your own local DNSSEC resolver to "fix" the Chrome URL bar would be a tremendous misallocation of effort.

If your ISP forges NXDOMAIN responses, the correct response is to DOH to a provider that doesn't do that. That's a simple networking config change, for which there is UI in every mainstream operating system. The DNSSEC part of this conversation is just silly.

0 comments

AndyMcConachie5y ago

Do whatever you want as your proposed mitigation, but we are talking about the root zone here, which is signed.

tptacekOP5y ago

My proposed mitigation is being deployed in every modern browser, and completely eliminates the ISP-spoofed NXDOMAIN problem. Yours asks users to install their own DNS server, and still doesn't eliminate the problem. I'm comfortable saying that my advice is correct, and the advice to use DNSSEC to solve this problem is malpractice.

j / k navigate · click thread line to collapse

0 pointstptacek5y ago0 comments

0 comments

AndyMcConachie5y ago

Do whatever you want as your proposed mitigation, but we are talking about the root zone here, which is signed.

tptacekOP5y ago

j / k navigate · click thread line to collapse