[dns-operations] DNSSEC deployment incentives

[Dave Warren]

On 2019-06-17 18:48, Jothan Frakes wrote:
> Most IT departments are painfully optimized for time and staffing, so 
> the increased LoE per zone is a factor that is dragging the adoption.

Same problem with validating. I've got a handful of domains where I 
don't validate DNSSEC because we needed to resolve them while their 
DNSSEC was broken and there is simply no incentive to review that list. 
Cloudflare's forums are full of customers complaining about 1.1.1.1 not 
resolving something and at least half the time it is DNSSEC related.

Were I managing more users and seeing an economic penalty to the time 
investment it takes to troubleshoot other company's DNSSEC and grant an 
exception, plus the downtime of my local user, I would strongly consider 
turning validation off as the practical risk is very minimal and the 
cost is non-trivial the first time it hits a CFO or interferes with an 
interaction with a customer of substantial size.