S. Bortzmeyer ✅ utilise mastodon.gougere.fr. Vous pouvez læ suivre et interagir si vous possédez un compte quelque part dans le "fediverse".
Si ce n’est pas le cas, vous pouvez en créer un ici.
Today's BGP hijack of Cloudflare's 1.1.1.1 DNS service to an AS in China demonstrates how using a centralized DNS service is dangerous.
Running a recursive resolver, preferably with DNSSEC validation and enforcement, should help mitigate issues like what happened this morning.
@lattera DNSSEC is bad though
@feld I'm not a big fan of DNSSEC, either, but it's at least somewhat better than plaintext, unauthenticated queries and responses.
@lattera only in a perfect world where every domain is signed with DNSSEC and it doesn't have the current failure rate that DNSSEC has due to its inability to cope with network connectivity issues.
The reality is that the protocol fails where it shouldn't and the errors are opaque to the end user applications.
Additionally, we peaked at barely 1% domains signed in .net, .com, and .org and it has been trending down for several years.
DNSSEC is dead.
If you want your DNS queries to not be intercepted you want dnscrypt or dns-over-tls where the attacker would also have to steal the crypto keys instead of just BGP hijack. Yes, you're still using centralized DNS but the vendors running these services have the ability to monitor and defend against attacks trying to tamper with their caches and resolution.
"Reminder: you could publish the DNSSEC root RSA secret keys on Pastebin and nothing on the Internet that matters would break."
The reality is that the protocol fails where it shouldn't and the errors are opaque to the end user applications.
Additionally, we peaked at barely 1% domains signed in .net, .com, and .org and it has been trending down for several years.
DNSSEC is dead.
If you want your DNS queries to not be intercepted you want dnscrypt or dns-over-tls where the attacker would also have to steal the crypto keys instead of just BGP hijack. Yes, you're still using centralized DNS but the vendors running these services have the ability to monitor and defend against attacks trying to tamper with their caches and resolution.
"Reminder: you could publish the DNSSEC root RSA secret keys on Pastebin and nothing on the Internet that matters would break."
This is very common and affects DNSSEC.