Post Aw8oEAaZAVZ2621ToO by SystemsAppr@discuss.systems
(DIR) More posts by SystemsAppr@discuss.systems
(DIR) Post #Aw8oDU4BGWheDQY1VA by SystemsAppr@discuss.systems
2025-07-15T00:18:29Z
0 likes, 1 repeats
Over the last year-plus we have been working on a new book focussing on network security. Most recently we have been looking into the security of the Internet's infrastructure, including the domain name system (DNS). Even though attacks on DNS have been known since the 1990s, efforts to secure it have been limited in their adoption. For this week's newsletter, we enabled DNSSEC (DNS security extensions) on our domain and it was remarkably painless. Yet DNSSEC adoption remains sluggish, for reasons that are explored in the newsletter. https://systemsapproach.org/2025/07/14/does-dns-security-matter/🧵 1/n
(DIR) Post #Aw8oDZtla9wCIrin6O by SystemsAppr@discuss.systems
2025-07-15T00:19:01Z
0 likes, 0 repeats
For a start, how bad is it? Well, DNSSEC was first documented in RFC 2065 in 1997, so we've had 28 years of deployment, and we're at about 34% according to the Internet Society: https://pulse.internetsociety.org/en/technologies/By comparison, HTTPS, in the same time period, has been deployed at 96% of the most popular 1000 sites on the Web.2/n
(DIR) Post #Aw8oDfbuLTDY1DPc6C by SystemsAppr@discuss.systems
2025-07-15T00:19:26Z
0 likes, 0 repeats
For a couple of deep dives into what has gone wrong, we recommend:"Calling time on DNSSEC?" by Geoff Hustonhttps://blog.apnic.net/2024/05/28/calling-time-on-dnssec/and"Where did DNSSEC go wrong?" by Edward Lewis"https://blog.apnic.net/2024/07/05/where-did-dnssec-go-wrong/"3/n
(DIR) Post #Aw8oDrnh1Tm5pF1C8O by SystemsAppr@discuss.systems
2025-07-15T00:21:52Z
0 likes, 0 repeats
A couple of problems stand out. One is a lack of user visibility: DNSSEC provides no equivalent to the comforting little padlock that your browser offers when using HTTPS. Instead, you need to go run some sort of diagnostic tool that is frankly for Internet geeks only. We rather like DNSviz: https://github.com/dnsviz/dnsvizYou can see the chain of trust established from the root zone down via .org to our systemsapproach.org zone in this image.4/n
(DIR) Post #Aw8oDzbvz57e35Zuuu by SystemsAppr@discuss.systems
2025-07-15T00:22:19Z
0 likes, 0 repeats
Another issue is that DNSSEC requires the chain of trust to follow the zone hierarchy. No problem for us but it is a deal-breaker if anyone in the hierarchy above the zone you want to protect doesn't support DNSSEC. This is the case for about 30% of country-level domains at present.5/n
(DIR) Post #Aw8oE55tb73l3SdPoO by SystemsAppr@discuss.systems
2025-07-15T00:23:07Z
0 likes, 0 repeats
There are other approaches around to secure DNS, such as running DNS over HTTPS (DoH) and a variant of DoH that protects client privacy called Oblivious DNS. These solve some issues with DNS security but not the one where your resolver has had its cache poisoned.Giving false answers to DNS queries remains a problem especially in countries that want to limit their citizen's acccess to certain content. (We assume this will soon include countries that want to limit access to the global version of TikTok?) And so while DNSSEC struggles to make progress, we're not ready to give up on DNS security yet.More details in the newsletter:https://systemsapproach.org/2025/07/14/does-dns-security-matter//FIN
(DIR) Post #Aw8oEAaZAVZ2621ToO by SystemsAppr@discuss.systems
2025-07-15T00:25:13Z
0 likes, 0 repeats
P.S. If you want to review the current draft of the security book, we have now made it available and will happily take feedback:https://github.com/SystemsApproach/security