This is a super important point! The parent post, which is quite good, forgets t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tptacek on June 3, 2023 \| parent \| context \| favorite \| on: Calling time on DNSSEC: The costs exceed the benef... This is a super important point! The parent post, which is quite good, forgets the qualifier that in practice DNSSEC is exclusively a server-to-server protocol: it's what your DNS server uses to attempt to authenticate records from other servers. But when you get the records, you don't get the signatures; you just get a single bit in the header that says "I pinky swear that I checked the signatures". It's wild that we're even considering rolling more of this out in 2023.

donttellmypeers on June 3, 2023 [–]

> But when you get the records, you don't get the signatures; you just get a single bit in the header that says "I pinky swear that I checked the signatures".

Clients absolutely do get RRSIGs (and relevant NSEC/NSEC3) however they don't necessarily validate them.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact