Hacker News new | ask | show | jobs
by tptacek 1394 days ago
You're recommending this startup do DNSSEC. Can you rattle off some pre-acquisition startups of any note that have DNSSEC-signed their domains? Slack, for instance, is DNSSEC-signed (signing infamously took them off the Internet for the better part of a day) --- because Salesforce, their acquirer, required it; they did the same to Heroku (which also suffered a DNS outage).

My point is not so much to litigate DNSSEC itself (although I'll do that) as it is to establish the ground truth that DNSSEC-signing is not a norm among tech companies. It would be a particularly weird bit of ops overhead for a young startup to invest in.

If you'd like some tips on how to quickly test whether a startup (or a large list of them) have signed their domains, I'm happy to help.
1 comments
Amedeemus 1394 days ago
It might not be the norm, my recommendation here was based on the OP mentioning it themselves, on experience with smaller companies and from my own experience working for a TLD (consider me biased)

Norms change and from my perspective there is still a big ongoing effort to push DNSSEC adoption worldwide.

I'm curious to know why you'd argue against DNSSEC and what your experiences are with operational overhead.

link
tptacek 1394 days ago
If you like, substitute "best practice" for "norm". The point I'm making is that almost nobody does DNSSEC, including but not limited to the startups with the best-regarded security teams. I'm wary of pointing the "security teams" part out because it leaves the impression that maybe companies without security teams do normally turn DNSSEC on, but that's not the case: almost nobody turns DNSSEC on. It doesn't solve real problems, and it creates a bunch of new problems.

Again, a good way to rebut this would be to present examples of established startups that have DNSSEC-signed their domains. For instance: you could take the top startups list from YC (it's on the front page, and you can pull the domains out easily in the Chrome console) and then check all of them to see if they're signed.

A bunch of them are! About 8%. But that's because a bunch of them are not in North America, and European registrars in particular automatically DNSSEC-sign new zones. But take a wild guess about Stripe (huge security team). Or Instacart. Or Cruise. Or Brex (banking!). Or Reddit. Or Gusto. Zapier. Segment. Vanta (the YC standard for SOC2, FWIW).

To the extent "no DNSSEC" is a norm, and not a best practice (it is both), that norm is unlikely to change; I think DNSSEC adoption is likely to decline (as it has in some previous years). It just doesn't work.

link