| ▲ | indolering 3 hours ago | |
DNSSEC also solves a bunch of real world threat models that do cause massive security issues. I think we should put that effort into DNS as well. | ||
| ▲ | tptacek 2 hours ago | parent | next [-] | |
Somehow they cause these massive security issues without impacting the 95%+ of sites that haven't used the protocol since it became viable to adopt a decade and a half ago. It's just a very difficult statistic to get around! Whenever you make a claim like this, you're going to have address the fact that basically ~every high-security organization on the Internet has chosen not to adopt the protocol, and there are basically zero stories about how this has bit any of them. | ||
| ▲ | akerl_ 2 hours ago | parent | prev [-] | |
Does it? I run a bunch of websites personally. I have ACME-issued TLS certificates from LetsEncrypt. I monitor the Certificate Transparency logs, and have CAA records set. What's the threat model that should worry me, where DNSSEC is the right improvement? | ||