[lambdaone]

By making it hard just to hijack a crucial TLD and transfer it over to an potential adversary without the cooperation of multiple trusted parties? It seems to me this is DNSSEC working as designed, and being remarkably flexible in doing so. Sometimes things _should_ be difficult to do.

[jpgvm]

Yeah I hate that people can't acknowledge that friction is sometimes intentional.

Not everything -should- be easy.

For example I designed a system at a previous company that used Shamir's Secret Sharing to protect a very very important root key. We used an intermediate of this key for most operations but it came time to rotate it and folks were surprised by the ceremony involved in doing so.

i.e the root key was decrypted using X of N members of the SSS group, a new intermediate generated and the special NUC that was designed for this purpose returned to it's safe (which was also using a Yubikey as like a mini-HSM too).

Those keys protected very important PII and I deemed this the minimum necessary friction, ideally I would have went further if that was tenable.

Some things really should be hard and that hardness should be proportional to how horrible the implications of someone unauthorized doing that thing.

[blibble]

> Not everything -should- be easy.

the entirety of .nz probably wouldn't agree with you when they had a 2 day outage due to a slight DNSSEC misconfiguration

[pas]

???

at best that means there's more need for practice, testing, better processes, and so on. it does not mean everything should be easy. (especially changes to a critical name authority.)

there's an argument that maybe .nz needs to spend more on this, delegate this, or accept a decreased security assurance, but that's definitely not true in general.

[blibble]

if you read the post-mortem they did everything by the book

they made a small mistake, and .nz was down for 2 days as a result

of course the 95% of people that have competent ISPs that don't verify DNSSEC records were completely unaffected

there's a reason ALL major tech companies refuse to deploy it for their zones

[pas]

> they made a small mistake

> and .nz was down for 2 days as a result

so it was not a small mistake

yes, the same thing happens when people start using technology that actually verifies what it reads/writes. ie. btrfs, ZFS, ECC, etc. and turns out disks fail, bits rots, etc. it was just unnoticed.

[tptacek]

Most, not all. Salesforce is a notable counterexample.

[tptacek]

In how many instances over the last 10 years has a country code TLD for a country of New Zealand's size or greater been stolen? It doesn't make sense to talk about benefits without costs, and vice versa. Error-prone and dangerous security demands urgent problems. Is TLD hijack one of them? It is not.