[dns-operations] DNSSEC deployment incentives
dw at thedave.ca
Tue Jun 18 03:56:41 UTC 2019
On 2019-06-17 18:48, Jothan Frakes wrote:
> Most IT departments are painfully optimized for time and staffing, so
> the increased LoE per zone is a factor that is dragging the adoption.
Same problem with validating. I've got a handful of domains where I
don't validate DNSSEC because we needed to resolve them while their
DNSSEC was broken and there is simply no incentive to review that list.
Cloudflare's forums are full of customers complaining about 188.8.131.52 not
resolving something and at least half the time it is DNSSEC related.
Were I managing more users and seeing an economic penalty to the time
investment it takes to troubleshoot other company's DNSSEC and grant an
exception, plus the downtime of my local user, I would strongly consider
turning validation off as the practical risk is very minimal and the
cost is non-trivial the first time it hits a CFO or interferes with an
interaction with a customer of substantial size.
More information about the dns-operations