|
|
|
|
|
|
by tptacek
1 day ago
|
|
|
It doesn't work for most sites, which is why so few organizations use it. It's awfully hard to make an argument about how straightforward DNSSEC is to use after DNSSEC had to be disabled by Cloudflare and Quad9 for all of Germany because of a misconfiguration. And it's more or less impossible to take seriously as a security boundary after that. Real security protocols fail closed. |
|
|
Putting security on top of DNS is really, really hard because DNS was invented rather a long time ago when information wanted to be free and not fettered and I wore short trousers at school and in the distant future would run an IBM System /36!
When you confidently insist on "most sites" you appear to want to rudely trample on my experience of "it works for me and my 20 at the moment DNS domains and increasing as I migrate them over". I'm taking my time - I have quite a few more to do and each one needs adding to monitoring etc.
I don't run .de and I do feel for the lads n lasses that do that buggered up a KSK roll over or whatever it was that was screwed. I think that holding up a screw up is an extremely crass and facile argument against ... anything, let alone a rather esoteric engineering function.
I don't agree with your assertion about "Real security protocols fail closed." That sounds like striving for perfection and you know as well as I do that perfect is the enemy of good.
DNSSEC for better or worse is what we have and I don't think it is too bad. It does give some guarantees within certain parameters. Any decent engineer will look at the risks/rewards and decide on effectiveness and design their solutions to a requirement ... accordingly.