Lecture 15: DNSSEC

• Slides
• Playlist (length: 45:08)

DNS over TLS

(True/False) DNS-over-TLS is rarely used because it would be too slow

True.

Designing DNSSEC Pt. 1

(True/False) This design would have the same guarantees if we didn't include the IP addresss in the signature.

False. Then a MiTM could simply swap out the IP address with a malicious one

Designing DNSSEC Pt. 2

Say a nameserver decides to just sign a "no record" response which isn't specific to any particular domain. This signature could be precomputed so the amplification attack is no longer an issue. What new attack exists?

An attacker can now launch a Denial of Service (DoS) attack by replaying this ‘no record’ response to anyone who queries the nameserver

Designing DNSSEC Pt. 3

Say a nameserver uses the no-record response described in the video, but to stop enumeration attacks uses slightly different, non-existent domains in its response (ie. instead of return a non-existent message of [mail.google.com, maps.google.com], it would send [main.google.com, mars.google.com]). What problem does this cause?

Same problem as above, an attacker could capture one of these messages and launch a DoS attack against valid domains

DNSSEC

(True/False) A resolver which supports DNSSEC will have the root server's public key hardwired into it.

True.

Issues with DNSSEC

(True/False) DNSSEC still works properly even if some domains on a resolving path don't support it, as long as the root server does.

False. This breaks the certificate chain