In 2020 I scraped fortune top 500 companies for dnssec and found iirc one domain using dnssec.<p>It certainly feels like the wrong way of solving problems (ramming more into the domain registry always seems like a bad option). Is the technology dead or destined to fail?<p>Edit: rationale: dnssec solves domain validity, but https tls solves almost the same problem but has better backing (azure said they don’t support dnssec and recommended tls as a better alternative). Dnssec also does not solve bgp hijacking, which combined with ip based tls signing servers moots any value dnssec has - sure you could registrar lock your domain via dns (preventing letsencrypt signing things), but if a threat actor has the capability to bgp hijack to perform such an attack and is targeting you, you probably have bigger issues elsewhere.
DNSSEC designers screwed up by making rollovers to be atomic. Instead, they should have allowed the responses to be signed by two keys. And a way to specify as a hint which key should be used, so that the zone owner could gather feedback on the rollover safety.
It seems like some folks are missing the motivation for DNSSec and suggesting TLS instead. If your threat model includes global adversaries, you have can't rely on TLS because governments can trivially compromise TLS providers and TLS exposes users to the lowest common denominator TLS. The lowest common denominator TLS (ACME DNS-1) and the mitigation to the TLS provider problem (CAA records) are both based on DNS.<p>So you either accept that TLS is the global maxima for security and world governments can basically permanently compromise the internet, or you build private PKI systems, or you want something like DNSSec. And DNSSec is something like DNSSec.
DNSSEC is easily the worst upgrade, multiplying complexity and brittleness, with the least amount of net benefit (without even adding encryption), that could have been solved in much simpler ways, that the Internet has ever attempted -- and that's including IPv6 (which is now quite workable).<p>Speaking as someone who most people consider a DNS expert and actually did help develop and deploy something substantially additive that is in widespread use today (DNSCrypt). ¯\_(ツ)_/¯
I hope the situation gets resolved swiftly, and lessons learned from this incident can contribute to stronger and more reliable DNSSEC practices in the future.
What the real problem probably is, is that all this is still being done by hand. It should be automated, and there is some work being done in that area: <<a href="https://github.com/DNSSEC-Provisioning/music">https://github.com/DNSSEC-Provisioning/music</a>>
Why can't I read this in reader-mode?<p>Supplementary question: Why do so many sites these days opt for tiny font-sizes in some shade of pale-grey on white?