On 11/03/2024 22:30, John Levine wrote:
It appears that Michele Neylon - Blacknight via anti-abuse-wg <michele@blacknight.com> said:
Several ccTLD registries have given discounts for DNSSEC.
What is unclear is how many of the domains with DNSSEC enabled are in active use, so the lack of �problems� could be simply down to a complete lack of us / ignorance that the technology was enabled.
My main issue with focus on DNSSEC is that it is seen being a �good use� of resources, so small registries who should invest in other things that are fundamentally more important feel obliged to enable it. There�s also the entire �I�ve got DNSSEC so now my domain / site / service is secure� belief. Much like people who think that smacking an SSL cert on their site magically renders it secure.
It makes sense if you're likely to be a phish target or you're sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
I agree that for random little private domains the benefit is marginal.
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype. Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles. Best Ale --