Feeds

back to article Google adds validation to DNSSEC

Worldwide, the rollout of DNSSEC can comfortably be described as “glacial”, but Google valiantly continues to try to give it profile. Having launched its own DNSSEC service three years ago, Mountain View has now added DNSSEC validation to its public DNS resolvers. Announced in this blog post, Google says the move means “we can …

COMMENTS

This topic is closed for new posts.
Stop

Chicken Little

Without DNSSEC, there is still a possibility of Kaminsky exploit. True, but misleading.

But to say 'most of the Internet remains vulnerable to the so-called “Kaminsky bug”' is less-than-responsible journalism. Patches have been available for years and all responsible sysadmins have deployed them. Success of a Kaminsky attack against a patched DNS server is possible but the chance is very, very low.

There are plenty of good reasons to use DNSSEC as there are quite a few vulnerabilities. But please don't put Kaminsky attack at the top of your list.

3
0
FAIL

That explains

Why wireshark labels it a malformed DNS response. :-/

What about EDNS0? and the billions of other DNS options...

0
0
Bronze badge

And, like the IPv6 articles, when is The Reg going to stop posting articles about DNSSEC and actually enable it for their own domains?

Aren't the tech sites supposed to be taking the lead, and showing the way to others?

6
0
Anonymous Coward

SSL would be nice too...

3
0
Meh

And still, google.com zone itself is not signed

which is sad.

And, I concur with Lee D - tech media should show an example.

1
0
Bronze badge

The # of Noobs/Non-Tech Users

On the internet and google thinks they can reasonably expect a majority of major players to actually do this when it potentially could stop people reaching their sites.

I have to take a hit and pass it on, just can't imagine this happening.

Btw google thanks for letting me use your DNS servers though, it's appreciated :)

0
0
Bronze badge

Re: The # of Noobs/Non-Tech Users

World IPv6 day (and several anniversaries and similar events) pretty much proved that this is a nonsense on any vaguely modern OS. Fact is, if your computer supports IPv6, then it will either use it (if it's available and globally-addressable) or fall back to IPv4 (if not). And if you use IPv4, nothing IPv6 will affect you at all.

You aren't going to damage anyone by publishing an AAAA record that anything without IPv6 accessibility will ignore. And in all modern OS's (i.e. XP and above), if you have IPv6 and it's working then it will get used. If it's not, then it won't.

1
0
Silver badge

The main uses for messing with DNS are of course...

censorship and advertisements. There are a lot of ISPs who mess with DNS for failed requests and tell it to point to their own server which then serves ads.

Further more many internet censorship plans mess with DNS in order to divert certain sites to a "warning" site.

0
0

Do as they say, not as they do?

Google.com? No DNSSEC there. Google.co.uk? Same. Likewise OpenDNS.com.

It's depressing: when even the DNSSEC *advocates* aren't actually enabling it themselves, who will? (FWIW, my personal domain has DNSCurve and DNSSEC, as well as IPv6 - it's truly disappointing that Google don't!)

0
0
This topic is closed for new posts.