On Mo, 28.09.20 11:10, Andrew Lutomirski (luto(a)mit.edu) wrote:
> If the other big OSes would enable DNSSEC client-side by
default
> things might change, but neither Windows nor MacOS or Android do.
>
>
The old unbound-resolveconf actually worked quite well when I played with
it. The only problem I had was that I couldn't load
google.com from one
particular network. Upon a bit of investigation, I discovered that the ISP
was maliciously replacing the A records for
google.com with its own servers
to inject JavaScript. So unbound-resolveconf's behavior was arguably
correct. A better solution might have been to pop up some kind of
notification like "your network is attempting to tamper with
google.com.
You can use the tampered version of
google.com at your own risk by
following these instructions, or you could try to access the real
google.com
by doing this other thing".
That's terrible UI. The thing is: this stuff should just work and not
pester users with questions they couldn#t possibly understand or
answer properly.
I mean, let's face it. DNSSEC is great, but does it actually make your
bank transfer safer? not really, SSL certs validate domains too in a
way, so DNSSEC isn't strictly necessary because trusting a SSL CA
isn't much different than trusting the DNSSEC root.
hence: client-side DNSSEC is certainly something we should support if
we can: but it's not deployable as default as it stands now, simply
because it breaks more stuff than it helps.
Lennart
--
Lennart Poettering, Berlin