[dns-operations] DNSSEC deployment incentives

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jun 18 22:52:27 UTC 2019

On Tue, Jun 18, 2019 at 05:31:51PM -0400, John R Levine wrote:

> > Seeing as how at least some of the attack vectors for DNS hijacking
> > currently being used are made more difficult and detectable with DNSSEC
> > enabled, I'd say the latter.
> There's no question that CAs are very broken, but there's also no question 
> that browsers have been reluctant to use TLSA so you can't actually 
> depend on it.

Yes, they're not yet ready to engage in helping to improve the
DNSSEC ecosystem, rather than rail against it.  Things are different
in the MTA-to-MTA SMTP space:


so the preparatory work will happen in the SMTP space, ... flushing
out operators with buggy nameservers, nagging operators about key
sizes and aging keys, ...

One bit of good news, lining up with my earlier message about
1280-bit ZSKs being good next step is that Verisign has started
migrating their gTLD ZSKs to 1280 bits:


once that's done, we can start cajoling (or eventually nagging and
then shaming) the rest to follow along.


More information about the dns-operations mailing list