Can someone explain to me like I’m a dumbass (I am) why #DNSSEC might be worth turning on?
-
Can someone explain to me like I’m a dumbass (I am) why #DNSSEC might be worth turning on? Our vendor appears to use keys that I am given to understand can be cracked in a tiny fraction of their lifetime, so I don’t see much value… #dns #networking
-
Can someone explain to me like I’m a dumbass (I am) why #DNSSEC might be worth turning on? Our vendor appears to use keys that I am given to understand can be cracked in a tiny fraction of their lifetime, so I don’t see much value… #dns #networking
@Azvede what!? What key alg/length are they using? -
Can someone explain to me like I’m a dumbass (I am) why #DNSSEC might be worth turning on? Our vendor appears to use keys that I am given to understand can be cracked in a tiny fraction of their lifetime, so I don’t see much value… #dns #networking
it's handy if you're using that domain to send email.
and yes, the keys -can- be cracked, but the step of having -to- crack them raises the bar a little bit and can contribute towards other measures' success.
-
Can someone explain to me like I’m a dumbass (I am) why #DNSSEC might be worth turning on? Our vendor appears to use keys that I am given to understand can be cracked in a tiny fraction of their lifetime, so I don’t see much value… #dns #networking
@Azvede There are two things you might "turn on". One is validating the answers, if signed, to queries you or your systems make.
Two is signing your names so that others may validate. I assume you mean this.
The first is pretty easy, maybe already being done by default, and comes with few drawbacks.
The second may also be done by default, or easy to do depending on who or what serves (is authoritative for) your names. This is usually easier and simpler if a DNS service provider (registrar that you manage your names through) does it for you.
"Cracked"? Probably not in the easy to uncover the private key sense I'm guessing. Maybe what you're referring is known as "zone enumeration", or the ability to discover all the records in your zone by brute force? Most don't care about this or would suggest the DNS was never designed to protect against that.
Why or why not turn it on? There are many vocal advocates for either position. The pro side tends to say things like, this is the mechanism we got, it works well enough it's worth it. The con usually complains about it adding more brittleness for little gain. Long debates ensue from here.
My advice, if you don't have to manage the servers and key rollovers yourself, and the provider has a good reputation, enable it. Otherwise, get really good at operating your existing DNS yourself first, then you'll know whether you want it or not.
-
R relay@relay.infosec.exchange shared this topic
