On 4/21/21 6:57 PM, Bron Gondwana wrote:
Rob wrote "DNSSEC is fragile and easy to get wrong in subtle ways." I say that DNSSEC is operational poison - it's hard to get right, easy to get wrong, and most importantly hard to debug failures when it happens - your users aren't going to be able to report the cause. It's theoretically good tech, but it clearly isn't getting traction and berating those who choose not to use it doesn't help.[...]
And if it makes everything more fragile, that's a downside too. DNSSEC makes things fragile based on the number of big name sites that screw it up every year. It also makes it much more expensive - DNSSEC is hard to get right and hard to keep right.
I suspect that work invested in getting this fixed (whether that means tweaking DNSSEC, better tools, or both) would be a lot more useful (and satisfying) than a great many of the ideas that get kicked around on the ietf@ list.
Keith