[technology taskforce] [technical-issues] Slack Engineering Blog : The Case of the Recursive Resolvers (What Happened During Slack’s DNSSEC Rollout)
Lutz Donnerhacke
lutz at donnerhacke.de
Tue Jan 11 10:15:35 UTC 2022
On Mon, Jan 10, 2022 at 03:49:08PM -0400, Dev Anand Teelucksingh via Technical-issues wrote:
> https://slack.engineering/what-happened-during-slacks-dnssec-rollout/
To summarize it: Incompetence at two levels.
Slack:
- no understanding of DNSSEC (signing subzones)
- invalid zone (CNAME on apex) which was revealed by DNSSEC
- no understanding of DNS resolvers (DS/NSEC caching)
Amazon (Route53):
- incorrect implementation (NSEC generation for *, very basic error)
- insufficient key management (no control over ZSK)
- insufficient zone management (partially signed hierarchy)
I'm not impressed.
More information about the ttf
mailing list