Please enable DNSSEC on domains ring.cx and jami.net
While looking into Jami (installed via MacOS App Story) and dhtnode (installed via "apt install dhtnode" on Debian testing), I found that:
- dhtnode config file /etc/default/dhtnode relies on this name for bootstrapping:
- bootstrap.ring.cx -- which I note is a CNAME for bootstrap.jami.net
- and the MacOS Jami client relies on these names:
- dhtproxy.jami.net
- turn.jami.net
- bootstrap.jami.net
I performed a quick DNSSEC validation test on these names, and found that none are protected. For example, here are the test results for
- bootstrap.ring.cx
- dhtproxy.jami.net
Summary: Both domains ring.cx and jami.net are insecure. Please enable DNSSEC in your DNS zones and at your registrar.
Rationale: DNSSEC comes at no additional cost with some registrar's such as gandi.net and may even be trivial to enable, for example: https://news.gandi.net/en/2020/05/activate-dnssec-in-one-click/
From my understanding, the ring.cx and jami.net domains are relied upon during the crucial process of clients connecting to the opendht network for the first time, but at the moment, these zones are not DNSSEC protected which leaves clients vulnerable to attacks such as DNS hijacking.
If the Jami project enables DNSSEC for ring.cx and ring.net, then users on local networks with validating resolvers will immediately gain this added protection without any additional changes to their Jami clients. (no source code changes. transparent to the user. just enable DNSSEC on the domains.)
What do you think?