[gerdesj]

That article kicks off with a politically motivated "issue" which seems pointed at the US Govt (USG) before dealing with perceived architectural issues.

The thing about trust anchors is that they are trust anchors and not a back door. DNSSEC goes well out of its way too, to not screw up things as far as possible if something is missing. OK, client implementations do that (I haven't gone into the RFCs in too much detail).

The architectural issues alluded to seem pretty handwavy too. I deployed a slack handful of PowerDNS boxes and adding DNSSEC is basically two CLI invocations per domain and passing on the DS records to upstream. The second invocation is to add an adjustment to deal with NXDOMAIN better (can't remember the exact thing at the moment)

If it doesn't work for you then fine - don't use it!

I find it useful and thanks to a decent implementation (so far) it is trivial to implement. However, I'm going to need to get my thinking cap on for some split-horizon domains.

[tptacek]

It doesn't work for most sites, which is why so few organizations use it. It's awfully hard to make an argument about how straightforward DNSSEC is to use after DNSSEC had to be disabled by Cloudflare and Quad9 for all of Germany because of a misconfiguration. And it's more or less impossible to take seriously as a security boundary after that. Real security protocols fail closed.

[gerdesj]

A fuck up or two doesn't invalidate DNSSEC. IT related security is hard, really hard as you well know, but not impossible nor likely perfect and always a moving target.

Putting security on top of DNS is really, really hard because DNS was invented rather a long time ago when information wanted to be free and not fettered and I wore short trousers at school and in the distant future would run an IBM System /36!

When you confidently insist on "most sites" you appear to want to rudely trample on my experience of "it works for me and my 20 at the moment DNS domains and increasing as I migrate them over". I'm taking my time - I have quite a few more to do and each one needs adding to monitoring etc.

I don't run .de and I do feel for the lads n lasses that do that buggered up a KSK roll over or whatever it was that was screwed. I think that holding up a screw up is an extremely crass and facile argument against ... anything, let alone a rather esoteric engineering function.

I don't agree with your assertion about "Real security protocols fail closed." That sounds like striving for perfection and you know as well as I do that perfect is the enemy of good.

DNSSEC for better or worse is what we have and I don't think it is too bad. It does give some guarantees within certain parameters. Any decent engineer will look at the risks/rewards and decide on effectiveness and design their solutions to a requirement ... accordingly.

[tptacek]

I came to this thread with data. Your 20-at-the-moment DNS domains versus the current signing statistics of the Tranco Top 1000.

At the point where we're arguing about fail-open versus fail-closed, our premises are too far apart to get anywhere. We can part company here: I'm speaking, in part, for the people who believe that any viable security protocol must fail closed.

Plenty of security protocols have ultimately failed in the marketplace and been abandoned. DNSSEC is simply another one of them.

[inigyou]

Your reasoning why DNSSEC is bad has been "most websites don't use it". Does that mean TLS was bad back when most websites didn't use it?

[tptacek]

People have been trying to make DNSSEC a thing since 1995. Even when "most websites" didn't use TLS, basically all of ecommerce did: TLS has been load-bearing since the 1990s. Meanwhile, here in 2026, it is literally true that if the root keys landed on Pastebin tonight, almost nobody would need to be paged.

[gerdesj]

You have deployed proof by assertion - I am powerless.

I am only describing my own experience and not pontificating on behalf of the world.

[inigyou]

tptacek is HN's resident DNSSEC hater. I think he also hates IPv6.

[tptacek]

I built the IPv6 private network system at Fly.io.