"DNS resolvers are the ones in charge of tracking down this information for you."
If one uses them.
One can alternatively use iterative queries where no "DNS resolver", i.e., recursive resolver, is used.
Many years ago I wrote a system for interative resolution for own use, as an experiment. I learnt that it can be faster than recursive resolution.
People have since written software for iterative resolution, e.g., https://lizizhikevich.github.io/assets/papers/ZDNS.pdf
Unfortunately authoritative servers generally do not encrypt their responses. IMO this would be more useful than "DNSSEC".
"And that data is often provided by authoritative servers."
What are examples of data not provided by authoritative servers.
Dan Kaminsky showed us why we need DNSSEC. Without it, it's quite easy to MITM and/or spoof network traffic. Some governments like to do this, so they'll continue to make it difficult for DNSSEC to be fully adopted.
The original registrar, Network Solutions, doesn't even fully support DNSSEC. You can only get it if you pay them an extra $5/mo and let them serve your DNS records for you. So for $5/mo you get DNSSEC, but you defer control of your records to them, which isn't really secure.
https://community.cloudflare.com/t/dnssec-on-network-solutio...
We don't. It's just an another PKI with operators you can never get rid of if they misbehave. That alone makes it not possible to start relying on it.
DNSSEC offers Zero protection against state actors.
Optional, alternative standards don't have visibility and don't get used.
Without a way to measure, nothing happens. There was once a few, UX-hostile DNSSEC & DANE browser extensions but these never worked well and were discontinued.
Purveyors of functional DNSSEC: https://freebsd.org
DNSSEC induced outages aside, I will start signing my zones when:
- DNSSEC auto-signing is tightly integrated into all authoritative DNS daemons instead of being a set of scripts, cron jobs and other bolt-on concepts. i.e. I never see a key, a script, etc... The daemon logs everything it is parsing and loading when set to verbose or debug.
- My primary and secondary servers and other peoples servers all present a DNSSEC-autosign(ed) capability during AXFR/IXFR negotiation and the server knows what to do with it and what additional sanity checks to perform.
- Zone transfers are universally encrypted by all DNS daemons. All of them. Every secondary service one could stumble upon must support XoT Encrypted Zone Transfer. Currently supported by NSD and Bind. RFC 9103. Otherwise this is just a LARP. Optionally also DNS over QUIC RFC 9250
- Primary and Secondary servers do sanity checks to determine if I am about to step on my own landmine and will rudely and hopefully quite offensively refuse to activate any changes if something seems off.
- Optionally and optimally I would like to see all of the ROOT servers support DoT with a long lived cert and all that implies. This could be a separate set of physical servers that intercept/DNAT port 853 to cache the load off the actual ROOT servers.
I’ve honestly never known which sites use DNSSEC and which don’t. Browsers don’t warn you when it’s missing, and most people probably wouldn’t even know where to look.
It’s hard to care about something like that, even if it really does matter behind the scenes.
DNSSEC is very easy to setup on AWS Route53 and it lets you sign any txt record you have which can be very useful.
because I can have my certificate authority in my DNS records and my app can verify the CA cert is from a trusted/verified source
We don't technically need ICANN the whole DNS system anymore.
Anyone could quickly build a public cryptographically secure blockchain-based DNS system where people could optionally sync and query their own nodes (without even going over the wire). People could buy and own their domain names on-chain using cryptocurrency instead of repeatedly renting them from some centralized entity.
You could easily build this today by creating a Chrome Extension with a custom URL/address bar which bypasses the main one and makes a call to blockchain nodes instead of a DNS resolver; it would convert a domain name into an IP address by looking up the blockchain. This system could scale without limit in terms of reads as you can just spin up more nodes.
I mean it'd be so easy it's basically a weekend project if you use an existing blockchain as the base. Actually Ethereum already did something like this with .ETH domains but I don't think anyone built a Chrome Extension yet; or at least I haven't heard, though it's possible to enable in Brave browser via settings (kind of hidden away). Also, there is Unstoppable Domains.
Parts of the inevitable Thomas Ptacek DNSSEC rant remind me of the years of denialism from C++ people before the period when they were "concerned" about safety and the past few years of at least paying lip service to the idea that C++ shouldn't be awful...
We don't. If we did, we'd have it by now. It's been over 25 years of making appeals like this.
It's a fun site! I'm not entirely sure why the protagonist is a green taco, but I can see why a DNS provider would make a cartoon protocol explainer. It's just that this particular protocol is not as important as the name makes it sound.