| A fuck up or two doesn't invalidate DNSSEC. IT related security is hard, really hard as you well know, but not impossible nor likely perfect and always a moving target. Putting security on top of DNS is really, really hard because DNS was invented rather a long time ago when information wanted to be free and not fettered and I wore short trousers at school and in the distant future would run an IBM System /36! When you confidently insist on "most sites" you appear to want to rudely trample on my experience of "it works for me and my 20 at the moment DNS domains and increasing as I migrate them over". I'm taking my time - I have quite a few more to do and each one needs adding to monitoring etc. I don't run .de and I do feel for the lads n lasses that do that buggered up a KSK roll over or whatever it was that was screwed. I think that holding up a screw up is an extremely crass and facile argument against ... anything, let alone a rather esoteric engineering function. I don't agree with your assertion about "Real security protocols fail closed." That sounds like striving for perfection and you know as well as I do that perfect is the enemy of good. DNSSEC for better or worse is what we have and I don't think it is too bad. It does give some guarantees within certain parameters. Any decent engineer will look at the risks/rewards and decide on effectiveness and design their solutions to a requirement ... accordingly. |
At the point where we're arguing about fail-open versus fail-closed, our premises are too far apart to get anywhere. We can part company here: I'm speaking, in part, for the people who believe that any viable security protocol must fail closed.
Plenty of security protocols have ultimately failed in the marketplace and been abandoned. DNSSEC is simply another one of them.