Lecture 15: DNSSEC

DNS over TLS


(True/False) DNS-over-TLS is rarely used because it would be too slow




Designing DNSSEC Pt. 1


(True/False) This design would have the same guarantees if we didn't include the IP addresss in the signature.




Designing DNSSEC Pt. 2


Say a nameserver decides to just sign a "no record" response which isn't specific to any particular domain. This signature could be precomputed so the amplification attack is no longer an issue. What new attack exists?




Designing DNSSEC Pt. 3


Say a nameserver uses the no-record response described in the video, but to stop enumeration attacks uses slightly different, non-existent domains in its response (ie. instead of return a non-existent message of [mail.google.com, maps.google.com], it would send [main.google.com, mars.google.com]). What problem does this cause?




DNSSEC



(True/False) A resolver which supports DNSSEC will have the root server's public key hardwired into it.




Issues with DNSSEC


(True/False) DNSSEC still works properly even if some domains on a resolving path don't support it, as long as the root server does.