Comment by indolering
10 hours ago
DNSSEC also solves a bunch of real world threat models that do cause massive security issues. I think we should put that effort into DNS as well.
10 hours ago
DNSSEC also solves a bunch of real world threat models that do cause massive security issues. I think we should put that effort into DNS as well.
Somehow they cause these massive security issues without impacting the 95%+ of sites that haven't used the protocol since it became viable to adopt a decade and a half ago.
It's just a very difficult statistic to get around! Whenever you make a claim like this, you're going to have address the fact that basically ~every high-security organization on the Internet has chosen not to adopt the protocol, and there are basically zero stories about how this has bit any of them.
Does it?
I run a bunch of websites personally. I have ACME-issued TLS certificates from LetsEncrypt. I monitor the Certificate Transparency logs, and have CAA records set.
What's the threat model that should worry me, where DNSSEC is the right improvement?