Message-ID: <67464f37@news.ausics.net>
From: not@telling.you.invalid (Computer Nerd Kev)
Subject: [LINK] Calling time on DNSSEC?
Newsgroups: comp.misc
Keywords: internet,DNS,encryption,cryptography,security,domains,DNSSEC
User-Agent: tin/2.0.1-20111224 ("Achenvoir") (UNIX) (Linux/2.4.31 (i586))
NNTP-Posting-Host: news.ausics.net
Date: 27 Nov 2024 08:44:07 +1000
Organization: Ausics - https://newsgroups.ausics.net
Lines: 55
X-Complaints: abuse@ausics.net
Path: ...!weretis.net!feeder9.news.weretis.net!news.bbs.nz!news.ausics.net!not-for-mail
Bytes: 3383

Calling time on DNSSEC?
 By Geoff Huston on 28 May 2024
 - https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/

"There have been quite a few Internet technologies that have not 
 been enthusiastically adopted from the outset. In many cases, the 
 technology has been quietly discarded in favour of the next 
 innovation, but in some cases, the technology just refuses to go 
 away and sits in a protracted state of partial adoption. In some 
 cases, this has seen a determinate state so protracted that much of 
 the original rationale for the technology has been overtaken by 
 events and the case to support adoption needs to be rephrased in 
 more recent terms.
 
 IPv6 is a good case in point where the basic architecture of the 
 protocol, namely as an end-to-end address-based datagram 
 architecture, has become an imperfect fit for a client-server 
 network that makes extensive use of replicated service delivery 
 platforms.
 
 Today's network is undertaking a transformation to a name-based 
 network, and running out of addresses to the extent that it is no 
 longer possible to uniquely address every attached client, is no 
 longer the catastrophic event that we once thought it would be. We 
 appear to have attached some 30B devices in today's Internet, yet 
 in terms of IPv4 use, we have achieved this using a little over 3B 
 unique IPv4 addresses visible in the routing system.
 
 In this case, I'm referring to secured DNS, or DNSSEC, which has 
 been tied up in progressive adoption for some 30 years. Over this 
 time, we've seen many theories appear as to why the pace of 
 adoption of DNSSEC has been so lacklustre, including a lack of 
 awareness, poor tooling, inability to automate operational 
 management, too much operational complexity and a general inability 
 to sustain a case that the incremental benefits of adoption of 
 DNSSEC far outweigh the increased operational costs and added 
 service fragility. Because of the lack of clear signals of general 
 adoption of DNSSEC over three decades, is it time to acknowledge 
 that DNSSEC is just not going anywhere? Is it time to call it a day 
 for DNSSEC and just move on?
 
 Now admittedly this is an extreme position, and I admit to 
 deliberately being somewhat provocative in asking this question to 
 get your attention but there is a grain of an uncomfortable truth 
 here. As a collection of service operators, we appear not to care 
 sufficiently to invest in supporting the additional costs to 
 operate a DNSSEC-secured DNS. After some 30 years of living with a 
 largely insecure DNS infrastructure, we appear to be comfortable 
 with this outcome.
 
 How have we got to this point?" ...

-- 
__          __
#_ < |\| |< _#