On 11/03/2024 22:30, John Levine wrote:
It appears that Michele Neylon - Blacknight via anti-abuse-wg
<mich...@blacknight.com> said:
Several ccTLD registries have given discounts for DNSSEC.
What is unclear is how many of the domains with DNSSEC enabled are in active
use, so the lack of �problems� could be simply down to a complete lack of us /
ignorance that the technology was enabled.
My main issue with focus on DNSSEC is that it is seen being a �good use� of
resources, so small registries who should invest in other things that are
fundamentally more important feel obliged to enable
it. There�s also the entire �I�ve got DNSSEC so now my domain / site / service
is secure� belief. Much like people who think that smacking an SSL cert on
their site magically renders it secure.
It makes sense if you're likely to be a phish target or you're
sophisticated enough to use DANE. DNSSEC works pretty well for Comcast.
I agree that for random little private domains the benefit is marginal.
DNSSEC everywhere would make more sense than HTTPS everywhere, which
instead won the hype. Being sure to connect to the IP designated by the
domain is essential, while encrypting every page of sites like, say,
wikipedia is just wasting cycles.
Best
Ale
--
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
