True - my bad of referring to DNSsec; there are other ways you can use encryption for DNS resolving (by using an external DNS server that encrypts using TLS or simply by using DNS-over-HTTPs). This way you get 100% encryption of your DNS traffic (and thus tamper checks that would detect bitflips). Again, not arguing against ECC, there are valid points to want it - I just see less and less reasons in the consumer market.
Encryption and signing don't protect against memory corruption.
For example, I download software from the internet then hash it. The hash matches. Before the bytes are written to disk locally, a bit flips in RAM. The corrupted data is written to disk and used.
Likewise, dnssec doesn't protect you against DNS bitsquatting attacks[1] because the domain name can be changed before the DNS request is made. So the DNS response your computer makes for a-azon.com might be totally valid and signed. It can come through DoH or whatever. The problem is that your browser thought it was the response for amazon.com and chrome send a bitsquatter your amazon cookies. (Oops).
littlecranky67|2 years ago
josephg|2 years ago
For example, I download software from the internet then hash it. The hash matches. Before the bytes are written to disk locally, a bit flips in RAM. The corrupted data is written to disk and used.
Likewise, dnssec doesn't protect you against DNS bitsquatting attacks[1] because the domain name can be changed before the DNS request is made. So the DNS response your computer makes for a-azon.com might be totally valid and signed. It can come through DoH or whatever. The problem is that your browser thought it was the response for amazon.com and chrome send a bitsquatter your amazon cookies. (Oops).
[1] https://www.youtube.com/watch?v=9WcHsT97suU
iopq|2 years ago