Hacker News new | ask | show | jobs
by adiabatichottub 85 days ago
If you don't absolutely have to, then don't.

That is to say, if you misconfigure it, or try to turn it off, you will have an invalid domain until the TTL runs out, and it's really just not worth the headache unless you have a real use case.
1 comments
deepsun 85 days ago
I consider it as basic security measure as SSL. Otherwise any MitM can easily redirect users to a phishing resource.

Did DNSSEC for company website, worked with zero maintenance for several years. On a cloud-provided DNS. Would want the same on self-hosted DNS too.

link
0x073 85 days ago
"Otherwise any MitM can easily redirect users to a phishing resource."

Yes, but with nowadays https/tls usage it's almost irrelevant for normal websites.

If bad actors can create valid tls certs they can solve the dnssec problem.

link
throw0101d 85 days ago
> If bad actors can create valid tls certs they can solve the dnssec problem.

I think you have it backwards: by not running DNSSEC it can mean bad actors (at least a certain level) can MITM the DNS queries that are used to validate ACME certs.

It is now mandated that public CAs have to verify DNSSEC before issuing a cert:

* https://news.ycombinator.com/item?id=47392510

So if you want to reduce the risk of someone creating a fake cert for one of your properties, you want to protect your DNS responses.

link
0x073 85 days ago
If you mean MITM between DNS Server and CA (e.g. letsencrypt), thats on a level of BGP hacking (means for me government involved) and means they can just use a CA (e.g. Fina CA 2025 with cloudflare).

I think the risk didn't change much (except for big corp/bank).

link
throw0101d 85 days ago
At one point (pre-HTTPS ubiquity) the NSA hacked (e.g.) Belgium telecoms via injecting malware into web response from (e.g.) Slashdot:

* https://thehackernews.com/2013/11/snowden-reveals-gchq-plant...

* https://www.aclu.org/documents/quantum-insert-diagrams

* https://en.wikipedia.org/wiki/Man-on-the-side_attack

Still state-level, but probably less noticeable than BGP hijacking.

Unless you're entering IP addresses in all your applications and code, non-SEC DNS is an unsecured link in the chain of communications.

link