Reply to post: Re: All I want to know

CloudFlare drinks the DNSSEC kool-aid, offers it on universal basis

John Robson Silver badge

Re: All I want to know

No - and it doesn't make you coffee either...

It alows you to verify that the record you just got back from your query to theregister.co.uk was indeed signed by The Register, as authenticated by ".co" as authenticated by ".uk" as authenticated by the root.

Given that you visit frequently you can also use a preload or triangulationto further verify that the cert chain hasn't been tampered with.

You could of course add DNSCurve to secure the request/response to/from the DNS server you spoke to, but they probably keep logs anyway.

There is no reason DNSSEC cannot be used with DNSCurve - and you can add preloads and triangulation, amongst other things to provide further verification [more importantly to increase the cost of an attack, since that is all we can ever really do]

When diud you last clear out the 600+ certificate authorities in your browser?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022