> On Dec 18, 2018, at 4:48 PM, Eric Rescorla <e...@rtfm.com> wrote:
>
> To my knowledge, no generic browser client does DNSSEC validation, for the
> reason that when people have looked at it it created unaceptable failure
> rates.
Agreed. That's a pretty safe bet. The last-mile problem is still with us for
now, though of course DoH/DoT change that too. The failure rates are almost
never on the backbone, but rather between the user and a crippled local
resolver.
To the extent that ESNI presumes DoH/DoT, DNSSEC might become more viable, but
we're certainly not there yet.
And even though public recursive resolvers often do validation, most domains
are as yet unsigned, the signed domains are still heavily concentrated at
a few registries and hosting providers in Northern Europe, and separately
Brazil.
Adoption elsewhere is still light, adoption barriers at registries and
registrars
are are a major obstacle, that is slowly starting to change as some start to
implement CDS (RFC8078) support.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
