|
|
|
|
|
|
by davidu
754 days ago
|
|
|
DNSSEC is a complicated kitchen sink that doesn't do the fundamentals (encrypt DNS traffic). It is also very black-box with the current tooling (not by design, but by implementation) which makes deployment perilous and confusing. It's really a PKI infrastructure masquerading as a secure DNS system. There's value in a PKI infrastructure for domain names, but it probably won't look exactly like DNSSEC. And there's value in encrypting DNS, but that is definitely not DNSSEC. I helped invent and deploy DNSCrypt which is strong encrypted DNS, but doesn't provide the PKI components. There are plenty of ways to do that part, however, that would be much lighter in weight than DNSSEC. I'm not motivated to do it now with my current day job (American Dynamism) but someone out there could. |
|
|