1

I'm tasked to configure our domain to use DNSSEC. We currently use AWS Route 53 as both our registrar and DNS hosting provider. According to the AWS documentation, Route 53 supports DNSSEC at both of these services. As far as I understand, the whole process of validating DNS queries belongs to the servers, from the recursive resolver to the TLD domain servers. My current project involves IoT devices, connected using different ISPs, which don't have any convention in terms of the recursive resolver server to use (but this could be changed). Given this scenario:

  • Should the recursive resolver server used be chosen based on its capability to validate DNSSEC? My understanding is that the answer is yes, otherwise DNSSEC would be meaningless.

  • Does it make sense to also validate the response from the recursive resolver at the client level? Is there a risk of having a MITM attack at that level? The agent installed in the IoT devices is coded in Java but I haven't found any well known client capable of validating DNSSEC.

Juan Vega
  • 113
  • 2
  • I can't imagine why someone would implement DNSSEC and not have validation at the consuming endpoints, but it shouldn't need to be done by applications. – Greg Askew May 11 '21 at 15:42
  • As far as I understand, one thing is having DNSSEC implemented at the registrar or DNS hosting provider and another one that the ISP validates the information returned from the query. Given these are IoT devices being connected through possibly different ISP providers, I understand I would need to ask for their configuration to be changed to use a recursive resolver like the Google one to ensure DNSSEC validation (we aren't in a situation to create our own resolvers) – Juan Vega May 11 '21 at 16:22
  • My remark was more of a comment on DNSSEC implementations in the *nix world. Endpoint validation doesn't seem to have merited much attention, probably because Linux isn't really a good or common platform for a general purpose endpoint. By comparison, this functionality has been builtin to Windows for 10 years, and endpoint validation is often the primary reason to do it. – Greg Askew May 11 '21 at 17:42

0 Answers0