The concern I have with DNSSEC is that if it's adopted --- where "adopted" means "by the major email providers and by browsers" --- there's not much you can do to protect yourself from the SIGINT agencies that control the top of the DNS tree.
If there was a significant benefit to users for DNSSEC adoption, I'd be my normal tedious "maybe it's good, maybe it's bad" self. But the benefits aren't there. Instead, DNSSEC will impose immense operational costs and in some ways reduce security:
If there was a significant benefit to users for DNSSEC adoption, I'd be my normal tedious "maybe it's good, maybe it's bad" self. But the benefits aren't there. Instead, DNSSEC will impose immense operational costs and in some ways reduce security:
https://news.ycombinator.com/item?id=10541719
This isn't a hard decision and I don't have a hard time siding with the anti-surveillance crowd on it.