Lecture 15: DNSSEC
DNS over TLS
(True/False) DNS-over-TLS is rarely used because it would be too slow
Designing DNSSEC Pt. 1
(True/False) This design would have the same guarantees if we didn't include the IP addresss in the signature.
Designing DNSSEC Pt. 2
Say a nameserver decides to just sign a "no record" response which isn't specific to any particular domain. This signature could be precomputed so the amplification attack is no longer an issue. What new attack exists?
Designing DNSSEC Pt. 3
Say a nameserver uses the no-record response described in the video, but to stop enumeration attacks uses slightly different, non-existent domains in its response (ie. instead of return a non-existent message of [mail.google.com, maps.google.com], it would send [main.google.com, mars.google.com]). What problem does this cause?
(True/False) A resolver which supports DNSSEC will have the root server's public key hardwired into it.
Issues with DNSSEC
(True/False) DNSSEC still works properly even if some domains on a resolving path don't support it, as long as the root server does.