1. 6
  1.  

  2. 3

    The change has been reverted with the message “The world is not ready for dnssec enabled by default.”

    1. 1

      I don’t really get what arguments there are for not having DNSSEC. But then, the world is complex and has quite a few people.

      Good to see that there is an actual working revocation mechanism, though - including … well done and very clear.

      1. 4

        don’t really get what arguments there are for not having DNSSEC

        The benefits don’t outweigh the issues, so it’s not worth it.

        • DNSSEC’s security ultimately is in the hands of whoever runs a top level domain. Not all domains are run with the same level of, let’s say, competency, so depending on the top level domain, DNSSEC might provide little to no additional security while pretending otherwise.
        • DNS resolution is very low level in the OSes to the point where there’s little option for error reporting. Any certificate chain validation error will be seen as a failure to resolve a name by client applications and there’s no API to provide more details. This leads to hard to debug issues.
        • DNSSEC is using late-90ies levels of key-strengths and algorithms and upgrading those is very hard and requires cooperation between all of the DNSSEC users at once (read: is unlikely to happen).
        • DNSSEC provides no encryption, so comes with zero privacy benefits for users.

        The increased maintenance issues and the non-existent error reporting for end users are bad enough issues that can’t be compensated by what practically amounts to only little more than security theatre.

        1. 2

          So the argument is that because there are theoretical attacks at state level actor and it is unattractive work at the other end, that you don’t change the default at the client/resolver side for the 99.99% of use cases to protect against all kinds of local hijacks by random script kiddies? Anything that breaks because of DNSSEC is supposed to break hard, and intentionally so. Mistakes are extremely uncommon compared to the exposure to risks on a daily basis (any untrusted network…) Any mistake at the server end of some individual would be fixed soon enough, and would not contaminate others. It is not mandatory, so any service just doesn’t implement DNSSEC server side and the risk disappears completely. Debugging is not so hard either, because it will consistently hard fail for everyone. As a user, I posit there is no risk and all benefits.

          Because you disregard things like DANE, SSFP, PGP that require DNSSEC and actually do have significant privacy benefits…