| Let's not lose sight of the fact that DNSSEC purports to make client connections more secure. Does it? - If the server in question doesn't have DNSSEC set up: No. - If there is a problem with one of the pieces of DNS infrastructure between the server and client: No. - If the DNS resolver server the client is using doesn't support DNSSEC: No. - If the client's stub resolver isn't a validating one: No. - The user is never notified if DNSSEC is working for them or not. They can only determine this by making queries with a command-line tool, or when they get a 'could not resolve domain' error on an invalidly-configured domain. --- Compare this to HTTPS, where the only thing the client needs to verify a secure connection is: - The server delivering its certificate and certificate chain to the client - The client validates the certificates - If it isn't validated the user knows immediately. You can go ahead and implement DNSSEC for your server, but when it comes to HTTPS connections, this does not improve user security over what we have now. |