Reply to post: Solution looking for a problem

Dutch name authority: DNSSEC validation errors can be eliminated

Crypto Monad

Solution looking for a problem

It's pretty obvious when you think about it.

* At the content provider side: turning on DNSSEC signing can do only one thing, which is increase the risk of their users seeing SERVFAIL errors in the event that there's a DNSSEC misconfiguration. This admittedly includes those SERVFAIL errors generated if someone else tries to spoof their domain (rare). Most content providers are very sensitive to losing eyeballs, because that turns directly into lost revenue.

* At the access ISP side (eyeballs): turning on DNSSEC validation can do only one thing, which is increase number of SERVFAIL errors seen by users accessing misconfigured DNSSEC domains. Those errors turn into support calls ("I can't access foo.com, but my friend who uses a different ISP can. Fix your broken ISP!"). Those support calls cost money.

As for those listed applications: DKIM, DMARC and SPF *don't* require DNSSEC. DANE does, but it's not being used for anything. If a technology doesn't have a business justification, it won't be deployed, no matter how cool.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019