Worldwide, the rollout of DNSSEC can comfortably be described as “glacial”, but Google valiantly continues to try to give it profile. Having launched its own DNSSEC service three years ago, Mountain View has now added DNSSEC validation to its public DNS resolvers. Announced in this blog post, Google says the move means “we can …
Without DNSSEC, there is still a possibility of Kaminsky exploit. True, but misleading.
But to say 'most of the Internet remains vulnerable to the so-called “Kaminsky bug”' is less-than-responsible journalism. Patches have been available for years and all responsible sysadmins have deployed them. Success of a Kaminsky attack against a patched DNS server is possible but the chance is very, very low.
There are plenty of good reasons to use DNSSEC as there are quite a few vulnerabilities. But please don't put Kaminsky attack at the top of your list.
Why wireshark labels it a malformed DNS response. :-/
What about EDNS0? and the billions of other DNS options...
And, like the IPv6 articles, when is The Reg going to stop posting articles about DNSSEC and actually enable it for their own domains?
Aren't the tech sites supposed to be taking the lead, and showing the way to others?
SSL would be nice too...
And still, google.com zone itself is not signed
which is sad.
And, I concur with Lee D - tech media should show an example.
The # of Noobs/Non-Tech Users
On the internet and google thinks they can reasonably expect a majority of major players to actually do this when it potentially could stop people reaching their sites.
I have to take a hit and pass it on, just can't imagine this happening.
Btw google thanks for letting me use your DNS servers though, it's appreciated :)
Re: The # of Noobs/Non-Tech Users
World IPv6 day (and several anniversaries and similar events) pretty much proved that this is a nonsense on any vaguely modern OS. Fact is, if your computer supports IPv6, then it will either use it (if it's available and globally-addressable) or fall back to IPv4 (if not). And if you use IPv4, nothing IPv6 will affect you at all.
You aren't going to damage anyone by publishing an AAAA record that anything without IPv6 accessibility will ignore. And in all modern OS's (i.e. XP and above), if you have IPv6 and it's working then it will get used. If it's not, then it won't.
The main uses for messing with DNS are of course...
censorship and advertisements. There are a lot of ISPs who mess with DNS for failed requests and tell it to point to their own server which then serves ads.
Further more many internet censorship plans mess with DNS in order to divert certain sites to a "warning" site.
Do as they say, not as they do?
Google.com? No DNSSEC there. Google.co.uk? Same. Likewise OpenDNS.com.
It's depressing: when even the DNSSEC *advocates* aren't actually enabling it themselves, who will? (FWIW, my personal domain has DNSCurve and DNSSEC, as well as IPv6 - it's truly disappointing that Google don't!)
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Updated + vids WHOA: Get a load of Asteroid DX110 JUST MISSING planet EARTH
- 10 years of Facebook Inside Facebook's engineering labs: Hardware heaven, HP hell – PICTURES
- Very fabric of space-time RIPPED apart in latest Hubble pic
- Massive new AIRSHIP to enter commercial service at British dirigible base