Jun 022023

I’m calling time on DNSSEC. Last week, prompted by a change in my DNS hosting setup, I began removing it from the few personal zones I had signed. Then this Monday the .nz ccTLD experienced a multi-day availability incident triggered by the annual DNSSEC key rotation process. This incident broke several of my unsigned zones, which led me to say very unkind things about DNSSEC on Mastodon and now I feel compelled to more completely explain my thinking:
For almost all domains and use-cases, the costs and risks of deploying DNSSEC outweigh the benefits it provides. Don’t bother signing your zones.
The .nz incident, while topical, is not the motivation or the trigger for this conclusion. Had…

External feed Read More at the Source: https://www.mattb.nz/w/2023/06/02/calling-time-on-dnssec/


Sorry, the comment form is closed at this time.