[cyberax]

> I don't think I'm out on a limb suggesting that random small domains should not enable DNSSEC.

Why? I can see this argument for large domains that might be using things like anycast and/or geography-specific replies. But for smaller domains?

> There's basically zero upside to it for them.

It can reduce susceptibility to automated wormable attacks. Or to BGP-mediated attacks.

[tptacek]

Explain the "wormable attack" DNSSEC addresses? I feel pretty well read into wormability, having done a product in the space.

[cyberax]

The vast majority of Let's Encrypt installations don't use CAA records or anything in DNS. Or they host the DNS along with the HTTPS servers.

So if the router between the web server and the Internet is compromised, it can just get trusted certs for all the HTTPS traffic going through it, enabling transparent MITM to inject its payload.

[tptacek]

"The web server"? Which web server? Are the HTTP flows with executable content going to the web server or coming from it? I'm sorry, you haven't really cleared this up.

[cyberax]

Any web server. Just imagine a worm getting onto a company's router and starting to transparently MITM traffic. Jabber.ru experienced such an attack, apparently.

[gzread]

This happened: https://notes.valdikss.org.ru/jabber.ru-mitm/

[akerl_]

I touched on this in the parallel comment where you linked this, but worth noting that DNSSEC does not solve this threat model, because re-routing the destination of legitimate IP addresses does not rely on modifying DNS responses.

[cyberax]

It does solve it. Unless you know my private key, you can't fake the DNSSEC signatures. The linking DS records in the TLD are presumably out of your control and in future can be audited through something like Certificate Transparency logs.

So even if you fully control the network path, you will somehow have to get access to my private key material.

[gzread]

Solves part of it. They still control your HTTP and can make LE issue a certificate for you. So actually solves nothing.

Unless you had a CAA record saying only LE certs from your account are valid. And maybe you want that record to be authenticated.

[akerl_]

The attacker did not fake any DNS records. They re-routed traffic to the legitimate IP addresses.