DNSSEC is dying. And the lesson we learnt from its failure
- Not considering fault tolerance.
- Downtime must be part of security consideration. Not just AAA. Prone to downtime is a major dealbreaker for marginal security wins. Business needs always goes before security (and security is to serve biz, not to choke it to death).
- Easy to misconfig = high operational risk = insecure
- single point of failure on DS records -> easy to break
- Not considering DX (Developer Experience)
- Not scalable -> choke point on DS record -> hard to config multiple servers for the same zone
- Not possible progressive adoption -> adoption is all-or-nothing -> high risk of downtime
- No strong (enough) use cases
- Marginal benefit when TLS is used; No benefit when plain-text is used = not worth the trouble
- Insufficient for defending state sponsored attacks = not worth the trouble