[tptacek]

Interrogate the thought more carefully. I understand why your default assumption is that securing DNS records is a good thing. But why is that, really? All sorts of things aren't secured cryptographically --- ARP! IP options! --- and we don't care. The modern Internet was designed with the assumption that the DNS is insecure.

[amluto]

Like SPF? Or DKIM?

ARP, and more generally any single-segment Ethernet network, is insecure, and it’s a problem. It’s just a very ingrained problem that’s unlikely to get fixed any time soon.

[tptacek]

What about SPF and DKIM? Virtually none of the world's SPF and DKIM records are signed with DNSSEC.

[amluto]

You said:

> The modern Internet was designed with the assumption that the DNS is insecure.

SPF and such may well be designed under the assumption that DNS is insecure but, under that assumption, they too are insecure.

[tptacek]

I don't understand your argument. Again, we have SPF and DKIM now, and neither rely on DNSSEC, which is good, because virtually nobody uses DNSSEC. You absolutely do need SPF and DKIM configured to be a mail sender; the Internet does rely on those. But you do not need DNSSEC to do that, and nobody cares if you do or don't.

[amluto]

And the security is weaker than it should be because the SPF, etc records are unauthenticated.

[tptacek]

That's not how security works. In the real world, security is in part a resource allocation problem. We spend resources to raise the cost of an attack over the threshold a model attacker would pay. There is a reason nobody gives enough of a shit to sign SPF records, and you can start to see it by taking the time to track down all the incident reports where someone exploited cache poisoning to override SPF.

[pvg]

Interrogate the thought more carefully.

I kind of wish there was a version of 'Against DNSSEC' that was just about that. The 'Unnecessary' and 'Architecturally Unsound' parts of that argument are so strong, the other bits end up feeling like springboards for DNSSECtarians to launch into debate.