[tptacek]

DNSSEC is utterly unimportant. Practically no major security team on the Internet enables it --- not Amazon's, not Google's, not Facebook's, not Microsoft's, not Apple's, not Oracle's, not IBM's, not Cisco's. The argument that DNSSEC is somehow necessary for secure infrastructure is an extraordinary claim, and it requires extraordinary evidence.

[GabeIsko]

Well, the operational requirements of commercial entities may be different than the federal government. Many of the companies that you mentioned offer FedRAMP services (with maybe the exception of Apple and Facebook), and they probably reckon with the spec on some level, even if they are not employing it internally. It is also pretty clear that Slack is going to implement it soon - they are going through all this trouble to allow to provide their signature every workspace get's a subdomain feature on FedRAMP. They really don't have to do that. Or maybe they do, in which case I would argue that it is probably good practice to be able to interrogate the DNS records they maintain.

Either way, this argument is starting to become political. Is Facebook a role model for cybersecurity, and keeping data out of the wrong hands? Or do NIST researchers know better? Neither - the government outlines its security requirements, and private companies play ball to compete for their business. And if a federal agency wants to be able to prove a DNS record's authenticity, even if it is maintained by a vendor, even if that isn't sufficient to secure their infrastructure, that's their prerogative.

[tptacek]

Facebook is better --- more competent, more effective --- at cybersecurity than the US Government by a factor of $lots.