The weak algorithms are a red herring. Not having DNSSEC at all gives you 0-bit security, how strong is that??? A few domains with 512-bit keys have little to protect for now, and will soon have better keys. They put nobody else at risk. Most domains are just fine
-
-
Replying to @VDukhovni @mdhardeman
Not having DNSSEC also gives you 0 DNSSEC related outages. My core point is that if it were just a harmless experiment, it'd be fine. Outages change it from a "HOLD" to a "SELL".
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
Expired certificates also create outages. Running a production network requires operational discipline. Folks who don't have it often outsource to folks who do. Cloudflare hosts tends of thousands of DNSSEC-signed domains just fine.
1 reply 0 retweets 1 like -
Replying to @VDukhovni @mdhardeman
You're right about expired certificates, but TLS provides actual security too. That's my sense of the cost-benefit trade-off. DNSSEC isn't worth it. CloudFlare could be 100% perfect at operations and still suffer when an ISP screws up DNSSEC on the resolvers. Not so with TLS.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
Fine with you making your own tradeoffs. However, you state as black and white facts what are really personal prefs. My domain is monitored via proactive alerts well before sig expiry. DANE protects my email. Let's avoid zealous maxims, be right not righteous.
1 reply 0 retweets 1 like -
Replying to @VDukhovni @mdhardeman
But I am right. DNSSEC doesn't actually work and it does cause outages. Don't use it. Get out of here with this righteous nonsense!
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
It works quite well for many users. What you say is hyperbole. It may suit your needs and preferences, but is not a truth to impart to the world.
1 reply 0 retweets 0 likes -
Replying to @VDukhovni @mdhardeman
DNSSEC doesn't actually work. That's not hyperbolic, it really doesn't work. It does cause outages, again, not hyperbole. Please don't mislead users otherwise, it's not responsible. Again: Don't use it.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @mdhardeman
It sure works for me, that's a fact. Ditto for many other domains. It allows me to publish TLSA records in a downgrade-resistant manner to the rest of the world. It clearly does not work for you, but let's not get religious about it.
1 reply 0 retweets 1 like -
Replying to @VDukhovni @mdhardeman
Nope. It doesn't work, that's the truth. Once again: It doesn't protect the weakest link in the chain at all, and where it tries to, it gets the crypto wrong to the point that it's not secure. It also causes outages. None of this is a matter of opinion. There's not two sides.
2 replies 0 retweets 0 likes
My comment about trade-offs may be confusing you: I wrote that DNSSEC might be ok as a harmless experiment to be ambivalent about if it didn't cause outages. I wasn't implying that it provided any useful security in a security vs availability trade-off. It doesn't.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.