←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 8 comments | 27 Jan 22 15:06 UTC | HN request time: 0.469s | source | bottom
1. scarmig ◴[27 Jan 22 20:37 UTC] No.30106234[source]
This sounds really beautiful, and I am saving the link for future reference.

I'm curious about the DNS encryption recommendation. My impression was that DNSSEC was kind of frowned upon as doing nothing that provides real security, at least according to the folks I try to pay attention to. Are these due to differing perspectives in conflict, or am I missing something?

replies(3): >>30106250 #>>30108627 #>>30110377 #
2. dsr_ ◴[27 Jan 22 20:38 UTC] No.30106250[source]
DNS over TLS and DNS over HTTP/TLS.
replies(1): >>30108450 #
3. nybble41 ◴[27 Jan 22 23:17 UTC] No.30108450[source]
DoT and DoH only encrypt the connection to the recursive resolver, more for privacy than security. You still need DNSSEC to authenticate the results.
4. zie ◴[27 Jan 22 23:35 UTC] No.30108627[source]
DNSSEC is security in the other direction( DNS server -> client ). All DNSSEC does is securely sign all the responses to DNS queries.

so DNSSEC is the answer to, can I trust this IP is valid for the name news.ycombinator.com.

DNS over TLS/HTTPS just says, nobody but the DNS server I use can see I'm wanting news.ycombinator.com's IP. It's mostly useless at the moment, since other gaps exist leaking essentially the same information(SNI, etc), but it should get more useful over time, as people are working on fixing those gaps.

replies(1): >>30112936 #
5. 0xdeadb00f ◴[28 Jan 22 03:22 UTC] No.30110377[source]
Whatever happened to Dnscrypt?
replies(1): >>30114478 #
6. zaarn ◴[28 Jan 22 10:35 UTC] No.30112936[source]
QUIC and ECH cover the leakage of host information already, so DNS over TLS/HTTPS is plenty useful already IMO. Just needs the hosts to upgrade to support ECH or QUIC. Plus it's never bad to cover your bases, DNS queries are for more than just the browser (ie, for example the SRV record which an application may use for connection data or TXT records for configuration or ACME).
7. teddyh ◴[28 Jan 22 13:45 UTC] No.30114478[source]
They never even wrote a Draft RFC.
replies(1): >>30147202 #
8. 0xdeadb00f ◴[31 Jan 22 12:26 UTC] No.30147202{3}[source]
Really? That's disappointing.