DNS security is important but DNSSEC may be a failed experiment

⁨23⁩ ⁨likes⁩

Submitted ⁨⁨16⁩ ⁨hours⁩ ago⁩ by ⁨BrikoX@lemmy.zip⁩ to ⁨technology@lemmy.zip⁩

https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/

Systems Approach: Nobody thinks of running a website without HTTPs. Safer DNS still seems optional

Comments

Sort:hotnew top

nightwatch_admin@feddit.nl ⁨8⁩ ⁨hours⁩ ago
Nice opinion piece, but I disagree with the core idea that dnssec’s biggest problem is visibility (also, there hasn’t been any padlock icon in years in browsers). IMHO we have 3 main drivers that made https a success, and dnnsec (and smtps) not:

enforced by browsers: while you could file it under “visibility”, the difference to me is that browsers refuse to load your site without https. If they had resorted to a mere red address bar, https would never really have taken off.

”atomic”: a site with failed https is only 1 failed site. Other sites, APIs, mail servers etc under the same domain will still work.

DNSSEC is HARD. Yes, your dns./website provider makes it look easy but really, this stuff is seriously hard to do right now, and there is little tooling to help you with it; the same reason smtps (and maybe ipv6) failed so hard, I think.
source
possiblylinux127@lemmy.zip ⁨9⁩ ⁨hours⁩ ago
It breaks DNS64

source