dnssec

How is my DNSSEC enabled domain still serving a tiny number of NXDOMAIN response codes?

by

TL;DR The lack of NXDOMAIN responses for Cloudflare hosted domains is a consequence of their specific DNSSEC implementation (using so called “black lies”) and not a design of the DNSSEC protocol itself; hence observations will be different with other providers doing DNSSEC. Initial questions How are NXDOMAIN responses still possible? Why wouldn’t they be possible? … Read more

What kinds of security vulnerabilities does providing DNSSEC expose?

by

DNSSEC has some risks, but they are not directly related to reflection or amplification. The EDNS0 message size expansion is a red herring in this case. Let me explain. Any exchange of packets that does not depend on a previous proof of identity is subject to abuse by DDoS attackers who can use that unauthenticated … Read more