[dns-operations] DNSSEC deployment incentives

Michael Sinatra michael at brokendns.net
Tue Jun 18 20:58:45 UTC 2019

On 2019-06-18 13:48, John Levine wrote:
> In article <mailman.150.1560889668.1398.dns-operations at lists.dns-oarc.net> you write:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 18 Jun 2019, at 21:21, Bill Woodcock wrote:
>>>> Why not get some TLSA records going for that server too Bill, if you're
>>>> using TLS?
> Now we get to ponder which is more broken, DNSSEC (and registrar
> account compromises), or the world of CAs.

Seeing as how at least some of the attack vectors for DNS hijacking
currently being used are made more difficult and detectable with DNSSEC
enabled, I'd say the latter.


More information about the dns-operations mailing list