Hey @alexstamos are your ears burning or do you want me to take this for you? (Fair warning if I have to make the argument for Per, I get to say you agree with everything I say.)https://twitter.com/thorsheim/status/1122150974536155136 …
-
-
Replying to @tqbf @alexstamos
Twitterstalker! :D But fair enough. I am looking for the serious arguments here. Microsoft & Google have lots of
#dnssec support already even if their main domains are not signed, I have yet to hear or understand the «technically not possible» explanation.2 replies 0 retweets 1 like -
Replying to @thorsheim @alexstamos
By lots, you mean “no meaningful support”, right? Take Microsoft: it’s not just their main domain that isn’t signed. Office 365 and Azure aren’t either. Microsoft does not operationally depend on or even take advantage of DNSSEC, just like most tech firms.
2 replies 0 retweets 4 likes -
As someone who lead the MSFT DNS server platform for a while. I can say I was not the only one at MSFT over the years who decided DNSSEC represents increased fragility with negligible security benefits, especially when looked in the context of real threats it doesn't surprise me.
3 replies 8 retweets 25 likes -
Negligible benefits is obviously wrong. But you’re not going to listen anyway. Soon dnssec workaround RFC pages will outnumber the RFC pages of dnssec and you will flip your arguments of complexity and fragility around
2 replies 0 retweets 1 like
I assume by "dnssec workaround RFC" you mean workarounds for *lack* of DNSSEC (e.g. MTA-STS), rather than workarounds for DNSSEC itself? If not, this Tweet doesn't seem like an argument in favor of DNSSEC.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.