[hackcoughgasp]

If you're going to argue that implementation difficulties make DNSSEC too much trouble I can respect the argument. To say that it doesn't solve a problem worth solving is strange.

[tptacek]

Interrogate the thought more carefully. I understand why your default assumption is that securing DNS records is a good thing. But why is that, really? All sorts of things aren't secured cryptographically --- ARP! IP options! --- and we don't care. The modern Internet was designed with the assumption that the DNS is insecure.

[amluto]

Like SPF? Or DKIM?

ARP, and more generally any single-segment Ethernet network, is insecure, and it’s a problem. It’s just a very ingrained problem that’s unlikely to get fixed any time soon.

[tptacek]

What about SPF and DKIM? Virtually none of the world's SPF and DKIM records are signed with DNSSEC.

[amluto]

You said:

> The modern Internet was designed with the assumption that the DNS is insecure.

SPF and such may well be designed under the assumption that DNS is insecure but, under that assumption, they too are insecure.

[tptacek]

I don't understand your argument. Again, we have SPF and DKIM now, and neither rely on DNSSEC, which is good, because virtually nobody uses DNSSEC. You absolutely do need SPF and DKIM configured to be a mail sender; the Internet does rely on those. But you do not need DNSSEC to do that, and nobody cares if you do or don't.

[amluto]

And the security is weaker than it should be because the SPF, etc records are unauthenticated.

[pvg]

Interrogate the thought more carefully.

I kind of wish there was a version of 'Against DNSSEC' that was just about that. The 'Unnecessary' and 'Architecturally Unsound' parts of that argument are so strong, the other bits end up feeling like springboards for DNSSECtarians to launch into debate.