Is there a defensive security account on here that I can follow? That'd be cool.

Regarding DNSSEC, registrar account security and some other DNS technical topics, I wrote this 6 years ago. Still relevant and used as a basis for the NIS directive adaptation into the French law.


Regarding the technicalities of DNSSEC, I can't let you say that DNSSEC is comparable to OpenSSL (or even TLS and the WebPKI) or GnuPG 😉

Yes, the three of them use asymetric cryptography to sign stuff. But that's about it regarding common denominators. 😶 Their PKI (including involved actors, certificate formats, the way these actors are organised, the timing contrainsts, the maintainance load, the revokation mechanisms, etc.) are significantly different.

@x_cli it was asymmetric encryption I was trying to highlight, but i understand. However, just like with TLS and PGP, if someone is able to sign with your private key, the utility of the overall program is degraded at best

@jerry That's true 😃 The implications, though, are very different. With DNSSEC, every actor can be a Certification Authority for other entities, so when you fall, you may bring people down with you. And of course, because why not, there are no revokation mechanism. So when you are screwed, you may be so for a long time.

However, DNSSEC private key leakage can be less probable if done properly, because the protocol is engineered so that the key can be stored and used offline.

(but that was an excellent show, as always 😉 Thank you! Don't mind my nitpicking 😌)

@x_cli thanks. It’s all pretty much stream of consciousness and I’m surprised I don’t get a lot more criticism

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.