Hacker News new | past | comments | ask | show | jobs | submit login

> Why did you pick an example that does not use DNSSEC?

Because I'm trying to illustrate how much additional security you might or might not get if you added DNSSEC, especially with regards to government entities.




The answer is "N/A." The .ly tld is not signed so DNSSEC could never attest to the authenticity of the A record for bit.ly.

In order for this to be a useful exercise you should structure the question in such a way that there is as much potential for government interference as possible. (Unless you are looking for a specific answer and you are trying to lead the respondent.) Government interference with DNSSEC is not limited to the `.` zone. Or put another way, DNSSEC's attack surface area is not limited to the sacred KSK.


If bit.ly implemented DNSSEC exactly to spec, and it appears clean to a user, who could be an attacker and in what way?


Anyone can be an attacker that can exert influence (legal/kinetic/digital) over:

  Here:        .
  Here:     .ly.
  Here: .bit.ly.
The attack surface of freebsd.org is similiar except there is a different set of actors that can exert legal influence over .org.

  Here:             .  # G/K/D same as bit.ly
  Here:         .org.  #   K/D same as bit.ly
  Here: .freebsd.org.  #   K/D same as bit.ly




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: