DNS Choice?

[RMerlin]

If the DNS record is changed encryption is not going to help.

I sticking with QUAD9 for now.

DNSSEC is not about encryption, it's about crypto signing of records.

Sent from my P027 using Tapatalk

 

[coxhaus]

DNSSEC is not about encryption, it's about crypto signing of records.

Sent from my P027 using Tapatalk

OK. It is about the same thing to stop man in the middle attacks so only point a and point b have the keys. What is happening is the DNS records are being changed maybe only on 1 server so keying or encrypting is not going to help a false DNS record. Once your PC hits the bad guys site he can do a lot. The DNS records get changed back but during that time period you are wide open. They can also steal valid encryption certificates for an organization's domain names. Probably not what we worry about on this site. This is all bad.

 

[RMerlin]

They can also steal valid encryption certificates for an organization's domain names.

I don't think you understand how DNSSEC works - I recommend reading up on it. Again, you are mixing up technologies like DoT/DoH, and DNSSEC. The signing keys are stored on root servers, not on your computer or your upstream server. The chances of these servers getting compromised are slim to none.

 

[ColinTaylor]

The signing keys are stored on root servers, not on your computer or your upstream server.

I for one have learnt something new today.

 

[coxhaus]

I don't think you understand how DNSSEC works - I recommend reading up on it. Again, you are mixing up technologies like DoT/DoH, and DNSSEC. The signing keys are stored on root servers, not on your computer or your upstream server. The chances of these servers getting compromised are slim to none.

Thanks. I will read up on DNSEC. But if you read about Sea turtle I think they are changing root servers.

"Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers."

How many root servers are there around the world? I assume a lot. I assume they fix it by majority rules.

 

[RMerlin]

How many root servers are there around the world?

13.

I don't remember however if the keys are on the actual root servers, or on the TLD root servers.

 

[sfx2000]

I don't remember however if the keys are on the actual root servers, or on the TLD root servers.

Keys are part of the domain record - for "example.org", the keys are there...

 

[RMerlin]

Keys are part of the domain record - for "example.org", the keys are there...

But there are higher levels signing keys in there, that's why the TLD also needs to be signed for DNSSEC to work at the domain level, to provide a complete chain of trust. And at the highest level you have the two official root anchors.