In the last few days, all my web services has been secured with DNSSEC. I have use DNSPod for some time and is pretty satisfied with their service, but after some incidents of fail to resolve on foreign places, I decided to change my DNS service. So my DNS service has been changed, and also secured with DNSSEC.
DNSSEC is a chain of trust service which authorization each DNS reply using asymmetric encryption. It starts from the top-level CA, which is “.”, and then some gTLD, like “org.”, and then the register’s domain. It’s a signing only method, so the DNS request is not encrypted and can be cached. The weakest point is that your domain registrar have total control over the DNSSEC key, so that if your domain registrar wanted to change it to another thing, it will be done. Also, the encrypt key of “.” and “org.” is both 1024 bit RSA, so there may be some possibility to break it using really big supercomputer within expire time.(there is about 1.47% possibility that you can break an 1024bit RSA key using Tianhe-2 under 6 month)
It’s a good way to prevent DNS poisoning. With DNSSEC, most respectable mail service(Google) will not be fooled by easy tricks to send the email to some MIMA server. Also, if the client’s DNS service is secured under DNSSEC, the client will not be fooled to another site.
However, there is little ISP that do right DNSSEC check inside China. One famous DNS provider inside china, 114DNS, has exactly zero aware of DNSSEC. And if the DNS record is signed with the wrong key, the 114DNS will not care and just return the malicious result.
So I set up three DNS servers to do the right DNSSEC check. One for my personal network(mail/VPCC/wiki/gitlab/backup/LDAP/WebDAV…) and another for my personal VPN. The two DNS servers using another DNS server as cache. Now the weakest spot is that before I start my VPN the DNS is poisoned. However, as my VPN is secured using another set of RSA keys, and I never visit anywhere without my VPN on, it should be fine.
With DNSSEC, I can now have my keys published using DNS. Now my GPG key for can be auto-fetched if the DNS search is enabled. The weak point is that DNS search function is not capable of verifying DNSSEC at peer, but rely on the remote resolver. RFC4035 seems to be suggesting any client with the ability to check DNSSEC to check DNSSEC by itself. I believe gnupg is a client both can have the ability to check DNSSEC and should have checked DNSSEC. Without that function, anyone can just modify the udp package between the resolver and the client to give the client any key the attacker thinks as good. A temporary solution would be set up a DNSSEC capable resolver at localhost and dig from 127.0.0.1:53.
Whatever, having it is better than having nothing. But still, if you want to send me encrypt emails, see about page on this blog and using keys there, or make sure you are doing DNSSEC check at localhost…