Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I dispute this, even though this seems like the one case where we're talking about an attack that actually lines up with what DNSSEC actually does.

The reason is, what we're talking about is a massive misconfiguration. It's not an elaborate technical spoofing attack that takes advantage of the weakness of the underlying DNS. The mistake the .IO team made is just as easy to make in DNSSEC as it is with vanilla DNS.



But if the attacker is unable to sign DNS responses, and you're validating those responses, then you're not going to have a bad time.

I don't really understand your argument. I'm talking specifics and you seem to be talking about some hypothetical.


The underlying "vulnerability" here is misconfiguration. DNSSEC doesn't defend against misconfiguration. That's the simple point I'm making.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: