Systems Approach

@SystemsAppr@discuss.systems
1.2K Followers
213 Following
869 Posts
Larry Peterson and Bruce Davie write books and newsletters about the Internet and related computer systems topics.
websitehttps://www.systemsapproach.org/books/
newsletterhttps://systemsapproach.org/newsletter
GitHubhttps://github.com/SystemsApproach
tech raghttps://www.theregister.com/Tag/Systems%20Approach
Show threadSystems Approach22m ago
P.S. If you want to review the current draft of the security book, we have now made it available and will happily take feedback:
https://github.com/SystemsApproach/security
GitHub - SystemsApproach/security: Network Security Micro-book

Network Security Micro-book. Contribute to SystemsApproach/security development by creating an account on GitHub.

GitHub
Show threadSystems Approach25m ago

There are other approaches around to secure DNS, such as running DNS over HTTPS (DoH) and a variant of DoH that protects client privacy called Oblivious DNS. These solve some issues with DNS security but not the one where your resolver has had its cache poisoned.

Giving false answers to DNS queries remains a problem especially in countries that want to limit their citizen's acccess to certain content. (We assume this will soon include countries that want to limit access to the global version of TikTok?) And so while DNSSEC struggles to make progress, we're not ready to give up on DNS security yet.

More details in the newsletter:
https://systemsapproach.org/2025/07/14/does-dns-security-matter/

/FIN

Does DNS Security Matter? - Systems Approach

DNSSEC assures a client that it is talking to the IP address corresponding to the domain name that it requested

Systems Approach
Show threadSystems Approach25m ago

Another issue is that DNSSEC requires the chain of trust to follow the zone hierarchy. No problem for us but it is a deal-breaker if anyone in the hierarchy above the zone you want to protect doesn't support DNSSEC. This is the case for about 30% of country-level domains at present.

5/n

Show threadSystems Approach26m ago

A couple of problems stand out. One is a lack of user visibility: DNSSEC provides no equivalent to the comforting little padlock that your browser offers when using HTTPS. Instead, you need to go run some sort of diagnostic tool that is frankly for Internet geeks only. We rather like DNSviz: https://github.com/dnsviz/dnsviz

You can see the chain of trust established from the root zone down via .org to our systemsapproach.org zone in this image.

4/n

Show threadSystems Approach28m ago

For a couple of deep dives into what has gone wrong, we recommend:

"Calling time on DNSSEC?" by Geoff Huston
https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/
and
"Where did DNSSEC go wrong?" by Edward Lewis
"https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/"

3/n

Calling time on DNSSEC? | APNIC Blog

Should we drop DNSSEC and just move on?

APNIC Blog
Show threadSystems Approach29m ago

For a start, how bad is it? Well, DNSSEC was first documented in RFC 2065 in 1997, so we've had 28 years of deployment, and we're at about 34% according to the Internet Society: https://pulse.internetsociety.org/en/technologies/

By comparison, HTTPS, in the same time period, has been deployed at 96% of the most popular 1000 sites on the Web.

2/n

Enabling Technologies — Internet Society Pulse

New technologies are essential to enable the Internet to keep growing, evolving and meeting the changing expectations of users. Enabling technologies contribute to improved Internet scalability, security, trust and availability. Internet Society Pulse curates information about levels of IPv6 adoption in countries and networks around the world, progress being made towards an encrypted web, indicators of DNSSEC adoption by the registries for country-code domain names, and data on worldwide adoption of TLS1.3 and HTTP/3.

Internet Society Pulse
Systems Approach29m ago

Over the last year-plus we have been working on a new book focussing on network security. Most recently we have been looking into the security of the Internet's infrastructure, including the domain name system (DNS). Even though attacks on DNS have been known since the 1990s, efforts to secure it have been limited in their adoption. For this week's newsletter, we enabled DNSSEC (DNS security extensions) on our domain and it was remarkably painless. Yet DNSSEC adoption remains sluggish, for reasons that are explored in the newsletter.

https://systemsapproach.org/2025/07/14/does-dns-security-matter/

🧵
1/n

Does DNS Security Matter? - Systems Approach

DNSSEC assures a client that it is talking to the IP address corresponding to the domain name that it requested

Systems Approach
Systems Approach17h ago

Does DNS Security Matter?

Last week I turned on DNSSEC (Domain Name System Security Extensions) for the systemsapproach.org domain. No need to applaud; I was just trying to get an understanding of what the barriers to adoption might be while teaching myself about the technology. It turns out that, if you have your domain hosted by a big provider (we happen to use GoDaddy), it’s easy to turn on DNSSEC.

https://systemsapproach.org/2025/07/14/does-dns-security-matter/

Does DNS Security Matter? - Systems Approach

DNSSEC assures a client that it is talking to the IP address corresponding to the domain name that it requested

Systems Approach
Systems Approach19h ago
We are trying to settle on "house style" for the plural of AS (Autonomous Systems). Since 1995 (when we had a good copy editor) our style has been "ASs" which seems to be consistent with many style guides and also the most common way to pluralise the similar-looking OS. However, much of the literature on routing uses ASes, and there would also be some support from style guides for using AS's. Please give us your vote:
ASs
ASes
AS's
Avoid the term
Poll ends at .
Systems Approach1d ago
Ian Campbell2d ago
the next time you want to piss off a techbro, just tell them intersectionality is systems thinking for human values