Comment by tptacek
10 days ago
Leaving aside that you applied the word "easy" to DNSSEC, how do you mean? How does DNSSEC solve the problem being discussed?
10 days ago
Leaving aside that you applied the word "easy" to DNSSEC, how do you mean? How does DNSSEC solve the problem being discussed?
It was a somewhat flippant (given that GitHub doesn't implement DNSSEC either) dig at the idea of using hand-entered/hand-updated IP addresses for access control, rather than having the access control system look addresses up in the system designed to securely attest owner/ip mappings.
(Almost nobody signs zones.) How is that any easier than just having an https:// URL from which you pull an (arbitrarily-formatted) list of IP addresses to block? Is the idea that you'd otherwise be able to do real-time DNS lookups on incoming IP addresses?
Yes - delay SYNs until an authenticated reverse lookup confirmed the IP was owned by a trusted domain. With caching to reduce common-case latency, which would otherwise be intolerable.
2 replies →