[dns-operations] DNSSEC deployment incentives

John R Levine johnl at taugh.com
Tue Jun 18 21:31:51 UTC 2019


>> Now we get to ponder which is more broken, DNSSEC (and registrar
>> account compromises), or the world of CAs.
>
> Seeing as how at least some of the attack vectors for DNS hijacking
> currently being used are made more difficult and detectable with DNSSEC
> enabled, I'd say the latter.

There's no question that CAs are very broken, but there's also no question 
that browsers have been reluctant to use TLSA so you can't actually 
depend on it.

Regards,
John Levine, johnl at taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly



More information about the dns-operations mailing list