For some reason I get rather annoyed by people who write lengthy blog posts about hot topic news of the day, especially those who mostly do handwaving.
> Even if you have a team of DNS experts maintaining your zone and DNS infrastructure, the risk of routine operational tasks triggering a loss of availability (unrelated to any attempted attacks that DNSSEC may thwart) is very high - almost guaranteed to occur.
What an absurd statement. Yeah, some people have had issues. But most of those did not have a trained DNS team. Or even person. I ran DNSSEC for hundreds of TLDs as a one man team. I'm not particularly smart or special...most TLDs have not had a DNSSEC outage. NZ did because they made mistakes, which could happen with any technology. Expired certs, for example, are much more prevalent. Should we throw away the CA system too?
I'm not even a DNSSEC advocate, really. I just find it bizarre so many people attack is as impossible to do. It's not. Attack it on its merits or lack of necessity instead.
> What an absurd statement. Yeah, some people have had issues. But most of those did not have a trained DNS team. Or even person. I ran DNSSEC for hundreds of TLDs as a one man team. I'm not particularly smart or special...most TLDs have not had a DNSSEC outage. NZ did because they made mistakes, which could happen with any technology.
The evidence base is growing that even with a well funded, competent DNS, it's very possible to completely shoot yourself in the foot with a minimum time to recovery not entirely within your control. This is not a good technology with well-thought-through failure modes.
> Expired certs, for example, are much more prevalent. Should we throw away the CA system too?
When my website cert expires, my entire domain and all its endpoints don't completely become unreachable with no easy workaround. The impact is very different.
> I'm not even a DNSSEC advocate, really. I just find it bizarre so many people attack is as impossible to do. It's not. Attack it on its merits or lack of necessity instead.
It's a bit like the arguments around programming languages like C/C++. Just because you think you can write C with zero memory issues, doesn't mean we should be encouraging everyone else to.
> Even if you have a team of DNS experts maintaining your zone and DNS infrastructure, the risk of routine operational tasks triggering a loss of availability (unrelated to any attempted attacks that DNSSEC may thwart) is very high - almost guaranteed to occur.
What an absurd statement. Yeah, some people have had issues. But most of those did not have a trained DNS team. Or even person. I ran DNSSEC for hundreds of TLDs as a one man team. I'm not particularly smart or special...most TLDs have not had a DNSSEC outage. NZ did because they made mistakes, which could happen with any technology. Expired certs, for example, are much more prevalent. Should we throw away the CA system too?
I'm not even a DNSSEC advocate, really. I just find it bizarre so many people attack is as impossible to do. It's not. Attack it on its merits or lack of necessity instead.