File tree Expand file tree Collapse file tree 1 file changed +10
-0
lines changed
Expand file tree Collapse file tree 1 file changed +10
-0
lines changed Original file line number Diff line number Diff line change @@ -860,6 +860,16 @@ operation of the Internet. While DNSSEC has struggled to gain
860860traction, other methods of protecting DNS have appeared more
861861recently and are having some impact, as discussed in the next section.
862862
863+ The challenges of securing DNS illustrate a point we made early in
864+ the book about the trusted computing base (TCB) and minimizing its size. If
865+ DNS needs to be trusted in order for systems that depend on the
866+ Internet to operate securely, then we have chosen a large, distributed system
867+ component that needs to be made secure. Having largely failed to make
868+ DNS secure over thirty years, it is a good thing that TLS (and other
869+ systems using end-to-end encryption) provides secure communications
870+ over untrusted infrastructure. In other words we have excluded DNS
871+ from the TCB.
872+
863873A final note on DNSSEC is that, by making responses larger, it has the
864874potential to worsen amplification attacks. The response to a request
865875to a DNS server that implements DNSSEC contains both a signature and
You can’t perform that action at this time.
0 commit comments