Hacker News new | ask | show | jobs
by tptacek 1568 days ago
It doesn't solve the "manipulate" problem we're talking about here, either: nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain; it only (situationally) prevents them from redirecting it somewhere else. (And, of course, it only works if you're running your own recursive server; it does nothing whatsoever in the 8.8.8.8-type use case).
2 comments
progval 1568 days ago
> nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain

But at least it is detectable thanks to NSEC and NSEC3 records.

link
cyounkins 1568 days ago
Kind of. An intermediary can drop packets and the client will never get the response.
link
tptacek 1568 days ago
It's detectable when the site that the DNS provider is censoring falls off the Internet!
link
Arnavion 1568 days ago
Yes, that's true.
link