[Request] Enable DNSSEC on your domain

[ghost]

Hello i have a simple request, on the domain (www.mike-gualtieri.com), you use for the test, the domain isn't DNSSEC signed, can you enable this DNSSEC validation ?

It's not mandatory but add some security to prevent dns spoofing of your domain name.

Thanks. Aelisya

[ghost]

after a longer test on Internet.nl i see some security error on your domain :

https://internet.nl/site/www.mike-gualtieri.com/906106/

it would be nice to correct them ;)

[mlgualtieri]

I'm going to close this one. A few reasons:

1) The bug related to my personal website not the plugin.

2) SSL is well configured on my site. It currently has an A+ rating via Qualys SSL labs: https://www.ssllabs.com/ssltest/analyze.html?d=www.mike-gualtieri.com&hideResults=on

3) I don't really see any significant security benefit by using DNSSEC for my website. The site's SSL configuration uses CAA and HSTS, which should cut down on any MITM issues that could potentially take place.

I certainly do welcome being notified of potential security issues! I just don't see anything in that link that poses a realistic threat to the site or visitors.

[ghost]

i understand but DNSSEC is mandatory for other security services (TLSA/DANE), and it will prevent DNS Poisoning of user. CAA lock certificate provider, but it doesn't mean the provider can't be hack or bug, and create a certificate of your domain for another user, hsts only force https and doesn't protect the domain from poisoning. The DNSSEC validation forbid dnspoisoning, and i thinks two protection is better than one.

Lastly the ICANN recomand DNSSEC and since it's free why not activate it ? source : https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

[ghost]

and for hsts i can recommand you to add it in hsts preloading list (added and modified every major update of browser) for better security : https://hstspreload.org/

[mlgualtieri]

When it comes down to it, I just don't see DNSSEC as a priority to implement at the moment for my personal website/blog. Although DNSSEC has merit, it's not widely utilized on most large websites, where DNS poisoning may actually fit into a threat model. As for HSTS, the reason I haven't configured preloading, is because it's very difficult to undo this process.

[ghost]

no problem, i totally understand your choice (it cost noting to ask ^^).