Slashdot Mirror
Google Implements DNSSEC Validation For Public DNS
wiredmikey writes "Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn't actually perform validation. 'With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,' Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post. According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013. 'Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,' Gu said."
Google knows.
If you like humping your mommy
And getting caught by your dad
If you're not into poota
If you have half a nad
If you'd like humping butts at midnight
In the smooth anal gape
Then I'm the love that you've looked for
Write to me and assrape
$10,000 CHALLENGE to Alexander Peter Kowalski
Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.
Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?
Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.
If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.
I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.
Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.
Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.
I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.
If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!
You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel,
...probably the most unsexy story I've seen on Slashdot in ages. It's minimally controversial. And it leads to a minimum number of jokes and ridicule. I predict that the Limit, as time approaches infinity, of number of posts = 150.
We should learn what we need to know about issues, before we decide what we need to feel about them.
Here's my big complaint about DNSSEC. Most of the registrars in the world either don't support this, or make it more than a pain to implement it. Try to find one that supports adding DNSSEC and IPv6 simultaneously is a nightmare.
I'm not up to scratch on the whole DNSSEC thing, but last I heard the protocol allowed DNSSEC-respecting servers to be trivially used as DOS nodes by having a control server. A machine could spoof the originating host on a lookup request for something nonexistent, and the payload of whatever the DNS is supposed to return is significantly larger than the lookup requests themselves, so you could trick one of the nameservers into bombarding your victim for you. What ever happened with that?
Are you kidding me?! If we don't cast the enchantment of APK banishment in every story about DNS, general networking or privacy, soon the real APK will be summoned, and NOBODY wants that.
Awesome... now more people will be tricked into switching to Google's DNS servers, and therefore, more people can be tracked by Google.
Before, Google just watched your browsing habits, your email, your phone calls and cell phone activities, your physical connection, tracked you through advertising, monitored your connections to your friends, and, well, when you took a dump too.
Now, Google plans to monitor every other activity your computer partakes in, as it watches all the DNS lookups you make. Any website you go to, that is not done via a Google search. What other software you use. What forums you go to. What *threads* you look at in forums, as the dns entries will sync with threads Google has already cached. Do you download torrents? Do a lot of MX record lookups?
Google can determine a vast amount of info via DNS lookups.
Google -- can you PLEASE just focus on making your core, search technology less inane? Not everyone wants to search for random, unrelated responses to searches. When they search for "bob cat", they don't want "Robert Kats".
Oh? And while you're at it, please make Verbatim searches work again. You've only had that for what, a year since you SCREWED UP + SEARCHES, and you've already started to DEGRADE IT!
Cornholes!
Slashdot: 2001 called and wants its lack of Unicode support back.
I've explained before how vandals forced Slashdot to stop supporting Unicode.
Also, Zalgo.
A machine could spoof the originating host
How does spoofing the originating host get past an ISP's egress filter? As I see it, the attacker and the victim of such an amplification attack would have to be on the same ISP.
Just ban any post with "apk"
So how would one discuss sideloading Android applications?
Show me an ISP or host who supports IPv6 and DNSSEC for a reasonable price and I'll switch.
Fact is, usually your hosting provider runs your DNS for you, and until they change there's nothing I can do. Setting up a nameserver is within my realm of possibility but it's something that I pass off to third-parties for a reason (for a start, you need two and ideally they should be on different IP spaces and connections). Also, configuring and updating DNSSEC is, from what I've seen, a bitch and even the initial signing can be a pain in the arse. Sod all that hassle just for the convenience of a minority of visitors.
Combine that with the fact that for almost EVERYONE who owns a domain, someone else other than them actually hosts it (and the big guys who DO host their own domain nameservers? Well, they can and are enabling DNSSEC where they need it, but it's no small task) and you have a problem.
You can bitch at me as much as you like but that ain't going to DNSSEC-enable my domains that I don't host any more than bitching that my IPv6-ready setup isn't actually on an IPv6-compatible / supported connection / ISP-supplied router will get me online.
Talk to my ISP and domain host. Get a few of them moving, then we can talk. Until then, it's all just another technology that I can do nothing about without a lot of expense for virtually zero gain.
P.S. The domains I do have on VPS / external servers on hosts which offer DNSv4 control publish AAAA records which work. In the same way they publish SPF records that work, and DKIM records that work, and reverse DNS records that are valid. And they ALL get used. But not really enough to justify even the small effort it took to do all that.
I've done my bit. Call me when my ISP host gets off their arse and does theirs. In fact, call me when Slashdot does the same. 10 years on and they're still publishing articles about the doom of IPv4 without a single AAAA record to their name.
Google beats the military and the government to something that helps authenticate their identity online? Say it ain't so!
personally I have been looking forward to this !!
thank you finally validation works
John
Since you PAY your ISP for your service, you are bound to a contract with them. That contract is binding, and if they break it, by providing your information to someone else, then you have due cause for a case to be leveled against them. With Google, no such contract exists.
Google has not correctly implemented DNSSEC. If you send them a normal DNS query and the response is not validly signed, they just pass the answer back to you without any indication that it's invalid. They only tell you that the answer failed to validate if you set the DO ("dnssec okay") or AD ("authentic data") bits in your query, which almost no DNS clients currently do.
If the answer is invalid, a validating name server is supposed to respond with SERVFAIL, so that even if the client doesn't know anything about DNS security, it will still be protected against spoofing. Google is claiming to provide protection against spoofing, and then they aren't providing *any protection at all*.
If you want DNSSEC protection, you're still going to have to run a validating name server yourself: either BIND 9 or Unbound. (Disclosure: I'm a BIND 9 author.) It is, nowadays, extremely easy to configure a validating name server using BIND 9; in any version since 9.8.0, a one-line named.conf will do it:
options { dnssec-validation auto; };
Run named with that configuration and "nameserver 127.0.0.1" in resolv.conf and you're good to go. Google public DNS is not ready to trust yet.
This would be great for me in China. That is, until google DNS gets blocked completely. Even using Google DNS in mainland China gives very odd random-seeming replies for requests to certain sites like facebook. It really seems like even request to foreign DNS servers get spoofed (though not consistently, about 1 in 20 reuqests seemed to acually give a facebook server).