ICANN, who would really like you to enable DNSSEC, has misconfigured DNSSEC on http://icann.com - the domain has signed records, but there is no DS record in the .com zone so the signatures don't actually do anything (except blow up the size of DNS responses, of course)
-
-
I think that detail argues your point (or part of it). Actively maintaining DNSSEC at scale is so difficult that *internet experts* like ICANN or ARIN (https://ianix.com/pub/dnssec-outages/20190111-arin.net/ …) can’t do it right.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.