this post was submitted on 24 Dec 2025
25 points (100.0% liked)

Pulse of Truth

1840 readers
61 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth@infosec.pub
25
Formal proofs expose long standing cracks in DNSSEC (www.helpnetsecurity.com)
submitted 1 day ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub
3 comments fedilink hide all child comments
 

DNSSEC is meant to stop attackers from tampering with DNS answers. It signs records so resolvers can verify that data is authentic and unchanged. Many security teams assume that if DNSSEC validation passes, the answer can be trusted. New academic research suggests that assumption deserves closer scrutiny. Researchers from Palo Alto Networks, Purdue University, the University of California Irvine, and the University of Texas at Dallas present an analysis of DNSSEC that goes beyond bug … More → The post Formal proofs expose long standing cracks in DNSSEC appeared first on Help Net Security.

top 3 comments
sorted by: hot top controversial new old
[–] Arghblarg@lemmy.ca 8 points 1 day ago* (last edited 1 day ago) (1 children)

I've wondered at times if DNS resolution should be a vote system at the client side; one chooses a set of, say 3 DNS servers, and trusts the majority reply, reporting the dissenting one, if there is one, to some other set of observers who can then evaluate if something hinky is afoot.

[–] Deebster@infosec.pub 8 points 1 day ago

Off the top of my head, this will cause client lookups to always be as slow as the slowest server, as well as increasing server loads. You could perhaps request from more than three servers and use the first replies, but then you're increasing server loads even more and not necessarily even looking at the responses.

Also, if the error/attack is higher in the DNS hierarchy, all the edge servers would report the same incorrect data.

[–] Deebster@infosec.pub 6 points 1 day ago

This is excellent work, I'm happy that these maths wizards are using their powers for good.

Is the fix as simple as saying you can't enable both NSEC and NSEC3? Obviously, this will be problematic for clients using the disabled version.