In the last few days, all my web services have been secured with DNSSEC. I have used DNSPod for some time and am pretty satisfied with their service, but after some incidents of failing to resolve for foreign places, I decided to change my DNS service. So my DNS service has been changed, and also secured with DNSSEC.
DNSSEC is a chain of trust service that authorization each DNS reply using asymmetric encryption. It starts from the top-level CA, which is “.”, and then some gTLD, like “org.”, and then the register’s domain. It’s a signing only method, so the DNS request is not encrypted and can be cached. The weakest point is that your domain registrar has total control over the DNSSEC key so that if your domain registrar wanted to change it to another thing, it would be done. Also, the encrypted key of “.” and “org.” is both 1024 bit RSA, so there may be some possibility to break it using a really big supercomputer within expire time. (there is about 1.47% possibility that you can break a 1024bit RSA key using Tianhe-2 under six month)
It’s a good way to prevent DNS poisoning. With DNSSEC, the most respectable mail service(Google) will not be fooled by easy tricks to send the email to some MIMA server. Also, if the client’s DNS service is secured under DNSSEC, the client will not be fooled to another site.
However, there is little ISP that does the right DNSSEC check inside China. One famous DNS provider inside china, 114DNS, has exactly zero aware of DNSSEC. And if the DNS record is signed with the wrong key, the 114DNS will not care and just return the malicious result.
So I set up three DNS servers to do the right DNSSEC check. One for my personal network(mail/VPCC/wiki/gitlab/backup/LDAP/WebDAV…) and another for my personal VPN. The two DNS servers using another DNS server as a cache. Now the weakest spot is that before I start my VPN, the DNS is poisoned. However, as my VPN is secured using another set of RSA keys, and I never visit anywhere without my VPN on, it should be fine.
With DNSSEC, I can now have my keys published using DNS. Now my GPG key for email@example.com can be auto-fetched if the DNS search is enabled. The weak point is that the DNS search function is not capable of verifying DNSSEC at peer but relies on the remote resolver. RFC4035 seems to be suggesting any client with the ability to check DNSSEC to check DNSSEC by itself. I believe GnuPG is a client that has the ability to check DNSSEC and should have checked DNSSEC. Without that function, anyone can just modify the UDP package between the resolver and the client to give the client any key the attacker likes. A temporary solution would be setting up a DNSSEC capable resolver at the localhost and dig from 127.0.0.1:53.
Whatever, having it is better than having nothing. But still, if you want to send me encrypted emails, see about page on this blog and using keys there, or make sure you are doing DNSSEC check at localhost…