Comment by tptacek

6 hours ago

Which is exactly what happened to Slack, and took them offline for most of a business day for a huge fraction of their customers. This is such a big problem that there's actually a subsidiary DNSSEC protocol (DNSSEC NTA's) that addresses it: tactically disabling DNSSEC at major resolvers for the inevitable cases where something breaks.

15 comments

tptacek

indolering 5 hours ago

As if DNS isn't a major contributing to A LOT of downtime. That doesn't mean it's not worth doing not investing in making deployment more seamless and less error prone.

twelvedogs 4 hours ago

The difference is DNS provides a fairly obvious up side
growse 5 hours ago
> As if DNS isn't a major contributing to A LOT of downtime. That doesn't mean it's not worth doing not investing in making deployment more seamless and less error prone.
Ah yes. Let's take something that's prone to causing service issues and strap more footguns to it.
It's not worth it, because the cost is extremely quantifiable and visible, whereas the benefits struggle to be coherent.
- indolering 4 hours ago
  
  The benefits are huge: there are lots of attacks that DNSSEC trivially prevents and it would help secure more than just web browsers.
  
  11 replies →