A nice informative video about DNSSEC. They should put out a new one with updated information. This video is over 3 years old. But still very informative of how DNSSEC works and where it is going.
at around 9:00 you told that DS is not really necessary but the DS is there to allow the public key of a sub-domain and then you sign the DS record. For example: domain: example.com 1. You create a pair of key and add the record to your dns 2. You send the public key to the parent "com." 3. "com." root DNS enter a DS record for example.com then sign it with it's own zsk with a RRSIG entry
The main problem that is exhibited with silly clarity the monolithic thinking of Cloudflare. The simple answer is to replace your "Authoritative Servers" - forget the Windows attempt to monopolise, and check with two or more "Authoritative Servers". In Windows you enter 2 DNS servers, usually provided by your ISP, and they they completes the DNS, but only the first is used as long as this respond. In old days you had the /etc/hosts file, and could set the DNS query sequence "manually" and "re-bind" - things that has never been made available on Windows. But to manually be able to make two queries for DNS needs a change in Windows, but is possible with full tcp/ip on MacOS and Linux. Then this discussion is theoretically interesting - but what´s the issue? Tons of work plunged into defending some ancient flaw, well known for decades and some people have made a fortune delivering these lectures and warning us of "problems". When it is so easy to avoid, why not just avoid the problem? (use two "zones"). There is the "9.9.9.9" proxy set up - use it!
A nice informative video about DNSSEC. They should put out a new one with updated information. This video is over 3 years old. But still very informative of how DNSSEC works and where it is going.
at around 9:00 you told that DS is not really necessary but the DS is there to allow the public key of a sub-domain and then you sign the DS record.
For example:
domain: example.com
1. You create a pair of key and add the record to your dns
2. You send the public key to the parent "com."
3. "com." root DNS enter a DS record for example.com then sign it with it's own zsk with a RRSIG entry
how can we explainate a cause of reasction.... 20$ For the man in the end that can keep a secret!
The main problem that is exhibited with silly clarity the monolithic thinking of Cloudflare. The simple answer is to replace your "Authoritative Servers" - forget the Windows attempt to monopolise, and check with two or more "Authoritative Servers". In Windows you enter 2 DNS servers, usually provided by your ISP, and they they completes the DNS, but only the first is used as long as this respond. In old days you had the /etc/hosts file, and could set the DNS query sequence "manually" and "re-bind" - things that has never been made available on Windows. But to manually be able to make two queries for DNS needs a change in Windows, but is possible with full tcp/ip on MacOS and Linux. Then this discussion is theoretically interesting - but what´s the issue? Tons of work plunged into defending some ancient flaw, well known for decades and some people have made a fortune delivering these lectures and warning us of "problems". When it is so easy to avoid, why not just avoid the problem? (use two "zones"). There is the "9.9.9.9" proxy set up - use it!