Hacker News new | ask | show | jobs
by Syonyk 916 days ago
> so things like DNSSEC took off.

DNSSEC doesn't encrypt anything - it's all plaintext on the wire. There are some DNS extensions that encrypt the query/response (DNS over HTTPS does this), but DNSSEC is not that.

DNSSEC is simply a way to verify that the response you get has not been meddled with in transit - it's the domain owner signing the DNS records so that you can verify that your DNS responses aren't being modified by a malicious entity (that may very well be your ISP).
1 comments
tptacek 915 days ago
Yes, they're probably thinking of DoH, which is much, much more widely deployed than DNSSEC.
link
belorn 915 days ago
How are you calculating that?

The number of users of recursive resolvers that support DNSSEC vs users of browsers that use DoH? Number of companies that has infrastructure that supporting DoH compared to number of companies that has infrastructure that supporting DNSSEC? Daily users?

link
tptacek 915 days ago
The right figure of merit should be "lookups protected by DoH/DNSSEC" (stipulating that DoH and DNSSEC have different definitions of "protected" and just assuming arguendo they're the same). I don't think it'd even be close; I would assume DoH exceeds DNSSEC by several orders of magnitude.

Note that this isn't lookups that happen to run through a resolver with DNSSEC enabled; to count, you'd be talking about such a lookup to a zone that had DNSSEC signatures. You can see the advantage DoH has here, since it works with all zones.

link
belorn 915 days ago
That would be the volume of traffic being sent over DoH compared to the volume of traffic from every recursive and authoritative dns servers that support dnssec.

It would interesting to see statistics. I wouldn't assume anything in that race. Some TLD's which are signed has quite a lot of traffic going through them on any given day, and most resolvers connecting to those have dnssec enabled by default. There are published statistics for this, but I can't find anything similar from either google or cloudflare.

link
tptacek 915 days ago
All traffic sent over DoH is protected. Most traffic --- the overwhelming majority of traffic --- sent through a DNSSEC-verifying resolver isn't signed by DNSSEC, because the overwhelming majority of zones --- and an even higher proportion of popular zones, by any reasonable metric of popularity you choose (I use the Moz 500) --- aren't signed.
link