From: not@telling.you.invalid   
      
   Calling time on DNSSEC?   
    By Geoff Huston on 28 May 2024   
    - https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/   
      
   "There have been quite a few Internet technologies that have not   
    been enthusiastically adopted from the outset. In many cases, the   
    technology has been quietly discarded in favour of the next   
    innovation, but in some cases, the technology just refuses to go   
    away and sits in a protracted state of partial adoption. In some   
    cases, this has seen a determinate state so protracted that much of   
    the original rationale for the technology has been overtaken by   
    events and the case to support adoption needs to be rephrased in   
    more recent terms.   
      
    IPv6 is a good case in point where the basic architecture of the   
    protocol, namely as an end-to-end address-based datagram   
    architecture, has become an imperfect fit for a client-server   
    network that makes extensive use of replicated service delivery   
    platforms.   
      
    Today's network is undertaking a transformation to a name-based   
    network, and running out of addresses to the extent that it is no   
    longer possible to uniquely address every attached client, is no   
    longer the catastrophic event that we once thought it would be. We   
    appear to have attached some 30B devices in today's Internet, yet   
    in terms of IPv4 use, we have achieved this using a little over 3B   
    unique IPv4 addresses visible in the routing system.   
      
    In this case, I'm referring to secured DNS, or DNSSEC, which has   
    been tied up in progressive adoption for some 30 years. Over this   
    time, we've seen many theories appear as to why the pace of   
    adoption of DNSSEC has been so lacklustre, including a lack of   
    awareness, poor tooling, inability to automate operational   
    management, too much operational complexity and a general inability   
    to sustain a case that the incremental benefits of adoption of   
    DNSSEC far outweigh the increased operational costs and added   
    service fragility. Because of the lack of clear signals of general   
    adoption of DNSSEC over three decades, is it time to acknowledge   
    that DNSSEC is just not going anywhere? Is it time to call it a day   
    for DNSSEC and just move on?   
      
    Now admittedly this is an extreme position, and I admit to   
    deliberately being somewhat provocative in asking this question to   
    get your attention but there is a grain of an uncomfortable truth   
    here. As a collection of service operators, we appear not to care   
    sufficiently to invest in supporting the additional costs to   
    operate a DNSSEC-secured DNS. After some 30 years of living with a   
    largely insecure DNS infrastructure, we appear to be comfortable   
    with this outcome.   
      
    How have we got to this point?" ...   
      
   --   
   __          __   
   #_ < |\| |< _#   
      
   --- SoupGate-DOS v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)