Pulse of Truth

1840 readers

61 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago

MODERATORS

krogoth@infosec.pub

Formal proofs expose long standing cracks in DNSSEC (www.helpnetsecurity.com)

submitted 1 day ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub

3 comments fedilink hide all child comments

DNSSEC is meant to stop attackers from tampering with DNS answers. It signs records so resolvers can verify that data is authentic and unchanged. Many security teams assume that if DNSSEC validation passes, the answer can be trusted. New academic research suggests that assumption deserves closer scrutiny. Researchers from Palo Alto Networks, Purdue University, the University of California Irvine, and the University of Texas at Dallas present an analysis of DNSSEC that goes beyond bug … More → The post Formal proofs expose long standing cracks in DNSSEC appeared first on Help Net Security.

you are viewing a single comment's thread
view the rest of the comments

[–] Deebster@infosec.pub 8 points 1 day ago

Off the top of my head, this will cause client lookups to always be as slow as the slowest server, as well as increasing server loads. You could perhaps request from more than three servers and use the first replies, but then you're increasing server loads even more and not necessarily even looking at the responses.

Also, if the error/attack is higher in the DNS hierarchy, all the edge servers would report the same incorrect data.