On 2/25/2014 10:32 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
My domains are (or will be when the transfer completes) signed with
NSEC3. RFC 5155 (NSEC3) was published in 2008. The root zone was
signed around 2010. DNSSEC is up and running.
Well, I sent them the two responses I got here (from rob0 and Victor),
and, in addition to what I think is the real reason, here is what they
came back with:
domains are more likely to go down do to poor DNSSEC administration
than any domain will be down due to cache poisoning or the other hacks
that DNSSEC is designed to prevent. Have you actually heard of DNSSEC
successfully stopping a hack yet? You probably haven not because it
hasn't.
Have you heard of DNSSEC causing downtime for domains? I am sure you
have... because it happens often.
This is way most of the largest domains do not support DNSSEC, nor
will they.
<sigh>
Oh well, not an immediate problem, and their normal DNS service is
excellent (and really cheap - $29/yr for up to 10 domains)...
--
Best regards,
Charles