Hacker News new | ask | show | jobs
by mschuster91 1229 days ago
> Perhaps we need new record types to support this?

The solution would have been DNSSEC, the problem is that authenticating NXDOMAIN responses comes with a ton of challenges on its own and so there, in the end, was just workarounds and messy hacks [1] that IIRC no one ended up utilizing.

[1] https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex...
2 comments
tptacek 1229 days ago
No, it's not! The problem here is end-users being forced to trust their upstream DNS caches. DNSSEC doesn't change that! It's a server-to-server protocol, so the same NXDOMAIN interception problem exists --- the intercepting DNS server just sets the AD bit in the header. You can run DNSSEC directly from an end-system, bypassing caches --- but then, relieving load on the roots (a non-issue, but still) is right out the window.
link
sumtechguy 1229 days ago
You are right. My brain decided to forget that existed!
link