This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
| Official | https:// |
| Support this service | https://www.patreon.com/birddotmakeup |
jcalvinowens
- 0 Followers
- 0 Following
- 6 Posts
[email protected] github.com/jcalvinowens
This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.
It's not a full recursive lookup: you don't understand how DNSSEC works. I'm not replying to you any more.
Not true, RFC4035 says all security aware resolvers SHOULD verify the signatures. It's far from pointless when actually implemented. Don't dismiss a whole protocol just because some historical implementations have been half assed.
No, it's experimental. But I run it on all my machines, the only time I've had a problem is when it caught a typo in a DS record.
It's not necessarily equivalent to a recursive lookup, you can ask a cache for all the answers because you already know the root keys a priori. But yes, it does follow the entire chain of trust, that's the entire point of dnssec: if you don't do that the whole exercise is utterly pointless.
No, modern resolvers like systemd-resolved actually check the dnssec signatures on the client.
DNSSEC prevents that if set up properly.