Not having DNSSEC also gives you 0 DNSSEC related outages. My core point is that if it were just a harmless experiment, it'd be fine. Outages change it from a "HOLD" to a "SELL".
It doesn't make it any less true either! A local attacker on a user's network can subvert DNSSEC trivially, but they can't subvert a DV cert issuance. DV cert mis-issuance due to domain spoofing is basically unheard of, but CT logs are a great improvement that really nails it.
-
-
You're surely aware that the local attacker cannot break DNSSEC validation performed locally on a machine. Validation at some distant forwarder is a straw-man irrelevance. CT protection is at best after the fact, and solves Google's problem, but does little for most domains
-
Come back when local DNSSEC validation is.a thing. It's not a thing. I doubt it will ever be a thing. In the mean time: DNSSEC doesn't work, and does cause outages. Major browsers are turning on mandatory CT for everything. That's strong protection for everyone.
- 12 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.