Overview
Syllabus
Intro
DNSSEC specifies a Public Key Infrastructure not unlike X.509 for TLS. .
DNS is hierarchical and divided into zones
Under DNSSEC, a name's DNS records are signed by the parent node in the zone.
NSEC records for a DNSSEC protected name point at the next node in the zone.
Enumerating a zone is a critical recon step for malicious actors.
A third iteration of NSEC, NSECS provably provides protection against zone enumeration.
CloudFlare takes an interesting approach they call "Black Lies" and DNS Shotgun
Ultimately, securing DNS is a non-trivial problem and it is unclear how we will solve it.