2 comments

[ 3.0 ms ] story [ 14.6 ms ] thread
Posting as a reminder that DNSSEC rollout to the top level domains (TLDs) is still incomplete. Without DNSSEC, DNS is spoofable.

Further DNSSEC rollout to non-TLD DNS servers is also incomplete. DNS spoofing is still possible in 2020.

[PDF, 2008] https://www.iana.org/about/presentations/davies-viareggio-en...

With DNSSEC, the DNS is spoofable. The two most common spoofing modalities in practice are LAN-style spoofing (airport and coffee shop wireless) and registrar ATO, both of which DNSSEC doesn't touch. Ironically, the former spoofing modality is directly addressed by DoH (or DoT, if you trust your network operator) and doesn't require coordinated or universal deployment.

There's a reason fewer than 2% of all .COM domains are signed; it's because DNSSEC is moribund.