Hacker News new | past | comments | ask | show | jobs | submit login

But the point of DNSSEC isn't to protect your ability to contact another server, just like the point of SSL isn't to be a substitute for TOR.

Are we on the same page that with DNSSEC activated on a local resolver one would either get an authentic answer, or nothing at all?




> Are we on the same page that with DNSSEC activated on a local resolver one would either get an authentic answer, or nothing at all?

Sure. But it's not very relevant, because almost nobody does that. And that's unlikely to change, because getting nothing at all isn't a very desirable state of affairs.

And given that forcing local DNSSEC resolvers in an OS or a browser would likely mean that a large share of your userbase will get nothing at all this is pretty much impractial.


> And that's unlikely to change, because getting nothing at all isn't a very desirable state of affairs.

It worked for HTTPS - more and more browser builds refuse to show you stuff, with no workaround, even if there is nothing wrong with the certificates ( cough-sha1-cough-or-cough-chrome-cert-transparency-cough ). Yet I don't see any users revolt.

Claiming that having an all-or-nothing HTTPS is a-ok, yet having all-or-nothing DNS is unacceptable is... inconsistent.


Correct. And if the local resolver is sufficiently close to your client that there is very low risk of an attacker getting into your local network, then you can have a higher degree of trust in those validated answers from your resolver.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: