[technology taskforce] [technical-issues] Slack Engineering Blog : The Case of the Recursive Resolvers (What Happened During Slack’s DNSSEC Rollout)

Lutz Donnerhacke lutz at donnerhacke.de
Tue Jan 11 10:15:35 UTC 2022

On Mon, Jan 10, 2022 at 03:49:08PM -0400, Dev Anand Teelucksingh via Technical-issues wrote:
> https://slack.engineering/what-happened-during-slacks-dnssec-rollout/

To summarize it: Incompetence at two levels.
 - no understanding of DNSSEC (signing subzones)
 - invalid zone (CNAME on apex) which was revealed by DNSSEC
 - no understanding of DNS resolvers (DS/NSEC caching)
Amazon (Route53):
 - incorrect implementation (NSEC generation for *, very basic error)
 - insufficient key management (no control over ZSK)
 - insufficient zone management (partially signed hierarchy)

I'm not impressed.

More information about the ttf mailing list