You're right about expired certificates, but TLS provides actual security too. That's my sense of the cost-benefit trade-off. DNSSEC isn't worth it. CloudFlare could be 100% perfect at operations and still suffer when an ISP screws up DNSSEC on the resolvers. Not so with TLS.
Come back when local DNSSEC validation is.a thing. It's not a thing. I doubt it will ever be a thing. In the mean time: DNSSEC doesn't work, and does cause outages. Major browsers are turning on mandatory CT for everything. That's strong protection for everyone.
-
-
Local DNSSEC validation is running on every DANE-emabled SMTP server. There are thousands of domains doing it, e.g. on the https://mailinabox.email personal email appliance. Cisco will shortly roll out DANE support (with local validation) in their ESA product...
-
... but that's not where the users are. It can still be trivially spoofed between the mail server and the user, and it can often still be forged with a bit of effort even to the SMTP server.
- 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.