Sysadmin reminder: 11 october is the #DNS root key rollover. Brace yourself and check *today* that the DNS resolver you manage knows both keys, 19036 (the old) and 20326 (the new) https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.pdf #DNSSEC
@bortzmeyer yeah no.
F*ck DNSSEC. It is company policy where I work never to use it/validate it.
@szbalint Bad policy. Fire the sysadmin and the IT manager.
People always talk about security but when it comes to practical solutions, nobody wants to do an effort :-(
@bortzmeyer I am the security officer and after careful evaluation, reading the standards, knowing the history we decided it actually increases risk, not decreases it.
We're going to roll out DNS over HTTPS when it's a bit more mature.
@szbalint How does it increase the risk? (I know some people claim it is useless but "increases the risk" is new to me).
@bortzmeyer It trades confidentiality for integrity, it is a massive increase in complexity with no obvious benefit (that someone actually backed up with a threat model), were people to turn on validation it would cause disruption and downtime because it's fragile. It's also 90s crypto. See also: https://sockpuppet.org/blog/2015/01/15/against-dnssec/
(I won't comment on https://sockpuppet.org/blog/2015/01/15/against-dnssec/ which is full of bullshit and display a serious ignorance of #DNSSEC, specially on the crypto side).
@bortzmeyer I was talking about confidentiality.
That post was written by Thomas Ptacek, who's been reviewing cryptography systems and standards since like 1995. There are very few people in the world more qualified than him to comment on crypto design.
Vive les gougères ! mnt-by: @yapret @papaeng89