Comment by cyberax

6 hours ago

> I don't think I'm out on a limb suggesting that random small domains should not enable DNSSEC.

Why? I can see this argument for large domains that might be using things like anycast and/or geography-specific replies. But for smaller domains?

> There's basically zero upside to it for them.

It can reduce susceptibility to automated wormable attacks. Or to BGP-mediated attacks.

5 comments

cyberax

Reply

tptacek 2 hours ago

Explain the "wormable attack" DNSSEC addresses? I feel pretty well read into wormability, having done a product in the space.

cyberax 2 hours ago
The vast majority of Let's Encrypt installations don't use CAA records or anything in DNS. Or they host the DNS along with the HTTPS servers.
So if the router between the web server and the Internet is compromised, it can just get trusted certs for all the HTTPS traffic going through it, enabling transparent MITM to inject its payload.
- gzread 32 minutes ago
  
  This happened: https://notes.valdikss.org.ru/jabber.ru-mitm/
  
  1 reply →
- tptacek 1 hour ago
  
  "The web server"? Which web server? Are the HTTP flows with executable content going to the web server or coming from it? I'm sorry, you haven't really cleared this up.