Comment on Second set of eyes - DNS Nameservers
possiblylinux127@lemmy.zip 1 month agoDNS translates IPv4 addresses to IPv6 NAT64 addresses for networks that are IPv6 only
I believe that DNSSEC breaks it since the IP addresses will be different.
dihutenosa@piefed.social 1 month ago
Oh, now I see.
I guess then the DNS64 server needs to do the dnssec verification on behalf of the user, then drop the RRSIG records for the v4->v6 translated names.
Oh, and now I realize I confused the direction. DNS64 makes v4 into v6.
possiblylinux127@lemmy.zip 1 month ago
What is the security benefit of DNSSEC?
It made more sense when everything was http now https is the norm is is less useful as far as I can tell.
dihutenosa@piefed.social 1 month ago
How could a hijacked DNS entry harm you?
- redirect to ads/spam
- downgrade to HTTP (no HSTS), then steal creds
- MitM the TOFU of SSH
- probably something more...
You can leverage the trust in DNSSEC to distribute TLS and SSH fingerprints too, look up DANE.
possiblylinux127@lemmy.zip 1 month ago
You can’t easy man in the middle authenticated protocols like SSH or HTTPS. If that was easy to do it would defeat the entire purpose of the TLS layer. Don’t take this the wrong way but this feels like a dated way of thinking. I think in the future it will way less of a problem since http is on its death bed.