|
|
|
|
|
|
by xz53
853 days ago
|
|
|
DNSSEC evaluates answers as being one of secure, insecure, or bogus. Secure means there's proof the answer is correct going all the way back to the root. Insecure means at some point there was a delegation that either opts out, or requires use of an unknown signature algorithm or unsupported NSEC3 parameters (unknown/unsupported by the validating software). Bogus means there was no proofs or the proofs didn't check out. Of course there's not much point to that evaluation if you're only looking up IP addresses and then relying on WebPKI to see that the other end is what you expected it to be. EDIT: I'm not allowed to reply for some reason, so in answer to tptacek: > Right, which leaves open the question of what the point is. No, I don't think it does. I think my summary reasonably conveys the functionality DNSSEC offers and how it is practically useful. (This is not a flippant response, the spade is a spade.) |
|
|
A more pointed critique implied by the thread you're replying to is: if virtually nothing on the Internet is signed, what's the point?
The ATHENE team's Black Hat talk from last year surveyed the "Tranco Top 500k", whatever that is, but I'll just say that 500k is more hosts than the 500 top hosts I use from the Moz500 for the same stat, and found that (wait for it) less than 5% of hosts in that dataset worldwide were signed, and a substantial number of those hosts are just signed by their registrars.
If you were going to make a case for an ordinary Internet user, like, the modal American user, to enable DNSSEC --- what would it be? What benefit would they get?