On Thu, Apr 22, 2021 at 08:57:12AM +1000, Bron Gondwana wrote: > Personally, I'm right in there with indictments on DNSSec in general. I didn't write this, but I stand by it: > > https://fastmail.blog/2016/12/20/dnssec-dane/ > > Rob wrote "DNSSEC is fragile and easy to get wrong in subtle ways." I > say that DNSSEC is operational poison - it's hard to get right, easy > to get wrong, and most importantly hard to debug failures when it > happens - your users aren't going to be able to report the cause. > It's theoretically good tech, but it clearly isn't getting traction > and berating those who choose not to use it doesn't help. This rehashing of stale and outdated strawman DNSSEC-bashing is neither necessary nor productive. Your critique of the assumptions about Google stands on its merits, without needing to disparage the technical specifics. The tools for managing DNSSEC reliably have gotten substantially better over the years. Indeed Google has signed a number of its own domains, including the .goog TLD and hundreds of thousands of customer domains they're DNS hosting. Google are having no problems running one of the largest DNSSEC operations on the planet. What they have not done, for various reasons that are not relevant here is sign google.com or gmail.com, ... I can make potentially plausible guess as to why, but they're not relevant. > DNSSEC makes things fragile based on the number of big name sites that > screw it up every year. Microsoft just had a recent DNS failure without DNSSEC, the major cloud services have had intermittent outages also unrelated to DNSSEC. I've seen no evidence that DNSSEC is particularly more fragile than other technologies we operate. > It also makes it much more expensive - DNSSEC is hard to get right and > hard to keep right. This is no longer true. The tools for reliable automated signing and monitoring thereof have improved substantially. Only naive seat of the pants deployments with no monitoring are more fragile. My domain has been signed since 2014 without any disruptions, with just a modest monitoring script that has alerted me to pendign expiration (automated re-signing wasn't kicking in) a couple of times, well before the signatures expired. The bugs that resulted in resigning not happening have been fixed for some time, and I don't have to expend any energy to keep DNSSEC running, it just works. -- Viktor.
