Comment by cyberax
4 hours ago
> I don't think I'm out on a limb suggesting that random small domains should not enable DNSSEC.
Why? I can see this argument for large domains that might be using things like anycast and/or geography-specific replies. But for smaller domains?
> There's basically zero upside to it for them.
It can reduce susceptibility to automated wormable attacks. Or to BGP-mediated attacks.
Explain the "wormable attack" DNSSEC addresses? I feel pretty well read into wormability, having done a product in the space.