[talk] Question about DNSSEC

[Miles Nordin]

> I was wondering what you guys would recommend - shall I use the
> router's own DNS resolver with DNSSEC or shall I use my ISP's one
> without DNSSEC?

I don't think DNSSEC matters because the web does not use DANE, but I 
would not use the ISP's nameserver regardless, as George says.

Since names are bound to endpoints by TLS certificates the relevant
attack today is unregulated ISP logging, not cache poisoning.

it could make sense to use DNSSEC as part of some ssh intranet, putting
ssh fingerprints in DNS, but this is a special thing that has to be
configured so it's hypothetical while the ISP logging is real.  I do not
really understand all the DNSSEC modes, do endpoints have to support it,
do you have to request fail-closed per query, what is the latency 
penalty, etc., so besides not being meaningful on the web, I'm not sure
offhand how to go about setting up such a hypothetical ssh-fp scheme.  
DNSSEC seems kinda irrelevant to me, like IPv6, though this is "sad,"
or whatever.

> I'm wondering about sane public DNS that people are using, outside of
> the usual suspects....

I use a local resolver, and it's garbage.  I think BIND is buggy, and
besides the terrible security track record it wedges sometimes.  My gut
feeling is that there are a lot of broken recursive resolvers out there 
causing pages to load slowly.

If I were setting up something from scratch I'd probably try to use 
DNS-over-TLS to Cloudflare or Google to evade the logging.  If I decided
it was just too yucky to depend on a megacorp and that I want to keep
running a local resolver, it would not be BIND if I were doing it all over.

ISTR the logging policy for honestdns is sane and Google is well-watched
by many litigious governments because of European protectionism and US
political grandstanding.  I guess the same is true of Cloudflare but less.
Of ISPs, obviously, we know they are not watched or effectively controlled 
at all.  They are the most hated companies in the country and scoff at other
regulations and pay the wrist-slap fines, they illegally overcooperate with
government wiretaps then receive retroactive immunity from Congress.  Maybe 
ISPs are not watching local resolver traffic, only recursive traffic, 
because weirdos like us are too rare and irrelevant to bother with the 
implementation, but if Apple put a local resolver in airport by default 
they would start watching that traffic so DNS-over-TLS is a real move in
the game, solving a real problem that running a local resolver does not 
solve: if you can get your web traffic to a CDN without the ISP seeing the 
URL, you can gain a little more privacy without the speed, flakiness, 
dollar, and sketchiness cost of a VPN.  It's a sensible default, which I
think is what you're looking for here, how do I provide an unopinionated
but "good" interweb connection.  so I would take option (c) other, 
DNS-over-TLS, though it's not what I do myself.

For CDNs it's important your DNS queries come from near where the https
request will come from, so one thing you should definitely not do is
somehow shove DNS into a privacy VPN but then make https requests outside
the privacy VPN.  I think I was doing this at one point, not sure how
noticeable it was, but it's "incorrect" in terms of unopinionated-but-good.