[deepsun]

I consider it as basic security measure as SSL. Otherwise any MitM can easily redirect users to a phishing resource.

Did DNSSEC for company website, worked with zero maintenance for several years. On a cloud-provided DNS. Would want the same on self-hosted DNS too.

[0x073]

"Otherwise any MitM can easily redirect users to a phishing resource."

Yes, but with nowadays https/tls usage it's almost irrelevant for normal websites.

If bad actors can create valid tls certs they can solve the dnssec problem.

[throw0101d]

> If bad actors can create valid tls certs they can solve the dnssec problem.

I think you have it backwards: by not running DNSSEC it can mean bad actors (at least a certain level) can MITM the DNS queries that are used to validate ACME certs.

It is now mandated that public CAs have to verify DNSSEC before issuing a cert:

* https://news.ycombinator.com/item?id=47392510

So if you want to reduce the risk of someone creating a fake cert for one of your properties, you want to protect your DNS responses.

[0x073]

If you mean MITM between DNS Server and CA (e.g. letsencrypt), thats on a level of BGP hacking (means for me government involved) and means they can just use a CA (e.g. Fina CA 2025 with cloudflare).

I think the risk didn't change much (except for big corp/bank).

[throw0101d]

At one point (pre-HTTPS ubiquity) the NSA hacked (e.g.) Belgium telecoms via injecting malware into web response from (e.g.) Slashdot:

* https://thehackernews.com/2013/11/snowden-reveals-gchq-plant...

* https://www.aclu.org/documents/quantum-insert-diagrams

* https://en.wikipedia.org/wiki/Man-on-the-side_attack

Still state-level, but probably less noticeable than BGP hijacking.

Unless you're entering IP addresses in all your applications and code, non-SEC DNS is an unsecured link in the chain of communications.