[dns-operations] .PL DNSSEC broken again
jared at puck.nether.net
Mon Jun 17 19:59:51 UTC 2019
> On Jun 17, 2019, at 1:33 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 17 Jun 2019, bert hubert wrote:
>> The problem is that from an operator point of view, DNSSEC is optional.
> Only because IETF does not have the guts to deprecate insecure spoofable DNS.
> It's 2019 and we depend on unsigned data across the internet for core
> infastructure. And now putting some transport security bandaids on it.
This is a very narrow view of the problem space. "The IETF" can declare IPv4 dead and
operators will not give it a second thought as well.
Now that we’ve moved beyond the Hyperbole part of the e-mail thread, the reality is
if a feature like this causes pain, an operator will turn it off. They don’t want to
spend extra time/money/resources monitoring it when it’s not providing value to them
directly, end-user impact isn’t part of their equation as their phones are not ringing.
An operator goal is to minimize customer complaints while maximizing service delivered.
More information about the dns-operations