On Mo, 28.09.20 11:10, Andrew Lutomirski (luto@mit.edu) wrote:
If the other big OSes would enable DNSSEC client-side by default things might change, but neither Windows nor MacOS or Android do.
The old unbound-resolveconf actually worked quite well when I played with it. The only problem I had was that I couldn't load google.com from one particular network. Upon a bit of investigation, I discovered that the ISP was maliciously replacing the A records for google.com with its own servers to inject JavaScript. So unbound-resolveconf's behavior was arguably correct. A better solution might have been to pop up some kind of notification like "your network is attempting to tamper with google.com. You can use the tampered version of google.com at your own risk by following these instructions, or you could try to access the real google.com by doing this other thing".
That's terrible UI. The thing is: this stuff should just work and not pester users with questions they couldn#t possibly understand or answer properly.
I mean, let's face it. DNSSEC is great, but does it actually make your bank transfer safer? not really, SSL certs validate domains too in a way, so DNSSEC isn't strictly necessary because trusting a SSL CA isn't much different than trusting the DNSSEC root.
hence: client-side DNSSEC is certainly something we should support if we can: but it's not deployable as default as it stands now, simply because it breaks more stuff than it helps.
Lennart
-- Lennart Poettering, Berlin