Google: Where’s Your DNSSEC?

Google has invested heavily in IT security, and, I think has done a decent job of it. All services are TLS by default, identity and authorisation is well dealt with.

So I was somewhat surprised this am to see that Google’s own .com (and .ca) are not DNSSEC setup. I wonder why, there must be a reason.

DNSSEC helps to avoid domain spoofing, which in turn can be used to cheat and get TLS certifications. I’m sure this was a conscious decision. Their 8.8.8.8 server does DNSSEC validation. Its an option in their managed Google Domains. Their Cloud DNS supports it. Just not inbound to their corporate domain.

Posted

in

by

db

Tags:

Comments

2 Responses to “Google: Where’s Your DNSSEC?”

  1. Matt Tooley

    A lot of enterprises have opted out of DNSSEC as it makes DNS amplification attacks worse.

    Reply
    1. db

      https://datatracker.ietf.org/meeting/94/materials/slides-94-irtfopen-0
      discusses the dns amplification issue.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *