> On 25 Feb 2019, at 4:34 pm, Bill Woodcock wrote:
>
>
>
>> On Feb 24, 2019, at 5:51 PM, Keith Medcalf wrote:
>>
>> That they also "forgot" to disable DNSSEC on PCH is not particularly
>> relevant. It only goes to prove my point that DNSSEC is irrelevant and only
>> gives a false sense
On 25/02/2019 07:20, Bill Woodcock wrote:
On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) wrote:
In the 3rd attack noted below, do we know if the CA that issued the DV CERTS
does DNSSEC validation on its DNS challenge queries?
We know that neither Comodo nor Let's Encrypt were DNSSEC va
> On Feb 24, 2019, at 5:51 PM, Keith Medcalf wrote:
>
> That they also "forgot" to disable DNSSEC on PCH is not particularly
> relevant. It only goes to prove my point that DNSSEC is irrelevant and only
> gives a false sense of security (for this particular attack vector).
For those watchin
> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed) wrote:
> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS
> does DNSSEC validation on its DNS challenge queries?
We know that neither Comodo nor Let's Encrypt were DNSSEC validating before
issuing certs. The
Google has been validating on 8.8.8.8 for years now though they only properly
enabled EDNS for Google.com on Jan 10, 2019. Prior to that you needed to
include a EDNS ECS option to get a EDNS response. They also DNSSEC sign some
of their zones. https://developers.google.com/speed/public-dns/fa
On Mon, Feb 25, 2019, 1:30 PM John Levine wrote:
> > You are right, if you can compromise a registrar that permits DNSSEC to
> be disabled (without notification/confirmation to POCs
> > etc), then you only have a limited period (max of DS TTL) of protection
> for those resolvers that have already
In article you write:
>You are right, if you can compromise a registrar that permits DNSSEC to be
>disabled (without notification/confirmation to POCs
>etc), then you only have a limited period (max of DS TTL) of protection for
>those resolvers that have already cached the DS.
As far as I can t
I just checked
Bing.com
Google.com
Amazon.com
Facebook.com
Netflix.com
Twitter.com
Chase.com
Coinbase.com
None of them have dnssec signed domains.
They are smart. They make money on the web. And they have, likely
consciously, made a cost / benefit risk driven evaluation of dnssec that it
is not
Keith,
You are right, if you can compromise a registrar that permits DNSSEC to be
disabled (without notification/confirmation to POCs etc), then you only have a
limited period (max of DS TTL) of protection for those resolvers that have
already cached the DS.
If that makes DNSSEC irrelevant in
Obviously none of y'all read the report. Here is the relevant quote:
DNSSEC protects applications from using forged or manipulated DNS data, by
requiring that all DNS queries for a given domain or set of domains be
digitally signed. In DNSSEC, if a name server determines that the address
You might have missed reading the very article you cite.
"Woodcock said PCH’s reliance on DNSSEC almost completely blocked that attack,
but that it managed to snare email credentials for two employees who were
traveling at the time.
Aside from that, DNSSEC saved us from being really, thorou
11 matches
Mail list logo
