Re: [technology taskforce] [technical-issues] Slack Engineering Blog : The Case of the Recursive Resolvers (What Happened During Slack’s DNSSEC Rollout)

On Mon, Jan 10, 2022 at 03:49:08PM -0400, Dev Anand Teelucksingh via Technical-issues wrote:

https://slack.engineering/what-happened-during-slacks-dnssec-rollout/

To summarize it: Incompetence at two levels. Slack: - no understanding of DNSSEC (signing subzones) - invalid zone (CNAME on apex) which was revealed by DNSSEC - no understanding of DNS resolvers (DS/NSEC caching) Amazon (Route53): - incorrect implementation (NSEC generation for *, very basic error) - insufficient key management (no control over ZSK) - insufficient zone management (partially signed hierarchy) I'm not impressed.