Sysadmin reminder: 11 october is the root key rollover. Brace yourself and check *today* that the DNS resolver you manage knows both keys, 19036 (the old) and 20326 (the new) icann.org/en/system/files/file

@bortzmeyer yeah no.

F*ck DNSSEC. It is company policy where I work never to use it/validate it.

@szbalint Bad policy. Fire the sysadmin and the IT manager.

People always talk about security but when it comes to practical solutions, nobody wants to do an effort :-(

@bortzmeyer I am the security officer and after careful evaluation, reading the standards, knowing the history we decided it actually increases risk, not decreases it.

We're going to roll out DNS over HTTPS when it's a bit more mature.

@szbalint How does it increase the risk? (I know some people claim it is useless but "increases the risk" is new to me).

@bortzmeyer It trades confidentiality for integrity, it is a massive increase in complexity with no obvious benefit (that someone actually backed up with a threat model), were people to turn on validation it would cause disruption and downtime because it's fragile. It's also 90s crypto. See also: sockpuppet.org/blog/2015/01/15

@szbalint Availability and integrity are two different security services. So, you claim that decreases availability, am I correct?

(I won't comment on sockpuppet.org/blog/2015/01/15 which is full of bullshit and display a serious ignorance of  , specially on the crypto side).

@bortzmeyer I was talking about confidentiality.

That post was written by Thomas Ptacek, who's been reviewing cryptography systems and standards since like 1995. There are very few people in the world more qualified than him to comment on crypto design.

@szbalint @bortzmeyer In technical matters, the argument of authority is the weakest. Noone is free from making errors, not even geniuses: Einstein introduced the cosmological constant just because it felt right to him, and then retracted it when observations proved him wrong (that it still a debate now...). Also everyone has its own agenda to push. While you can trust some more than others based on various past signals, you should never trust anyone 100% and always mix viewpoints.

Suivre

@pmevzek @szbalint Also, everyone has a domain (pun intended) of knowledge/competence and his/her authority in this domain does not always extend outside. Being good in crypto does not automatically mean you're good in DNS.

Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Vive les gougères ! mnt-by: @yapret @papaeng89