Lecture 15: DNSSEC

DNS over TLS

(True/False) DNS-over-TLS is rarely used because it would be too slow

Designing DNSSEC Pt. 1

(True/False) This design would have the same guarantees if we didn't include the IP addresss in the signature.

Designing DNSSEC Pt. 2

Say a nameserver decides to just sign a "no record" response which isn't specific to any particular domain. This signature could be precomputed so the amplification attack is no longer an issue. What new attack exists?

Designing DNSSEC Pt. 3

Say a nameserver uses the no-record response described in the video, but to stop enumeration attacks uses slightly different, non-existent domains in its response (ie. instead of return a non-existent message of [mail.google.com, maps.google.com], it would send [main.google.com, mars.google.com]). What problem does this cause?


(True/False) A resolver which supports DNSSEC will have the root server's public key hardwired into it.

Issues with DNSSEC

(True/False) DNSSEC still works properly even if some domains on a resolving path don't support it, as long as the root server does.