As Paul Vixie says, “we've now spent more calendar- and person- years on DNSSEC than was spent on the entire IPv4 protocol suite (including DNS itself) as of 1996 when the DNSSEC effort began. ugly, ugly, ugly.“[1] DNSsec, a 20+ year old protocol[2] which causes more problems than those it solves, has a low rate of adoption for many good reasons. Two of them have been pointed out here: (a) the protocol itself and its implemementations are brittle to say the least, and (b) it's hard to deploy. Were it not by the stubborn posture of ICANN and “the powers that be” in IETF, it shouldn't be deployed against the advice of the infosec community. I wouldn't bore you with the technicalities (there are many excellent sources if you want to go into detail), but please let me write down a little recab of the most serious objections against DNSsec: * It is unnecesary * It allows monopolistic/governmental control through a controlled PKI[3] * It is cryptographically obsolete (and weak) * It is expensive to adopt and deploy * It is incomplete * It goes against fundamental architectural principles. We could also add, as somewhat less important drawbacks, that it makes reflection attacks worse, and degrades server performance. DNSsec is a nightmare, and since it has architectural failures, can't be fixed to work properly. Should I recall the catastrophic APNIC outage of 2016-03-15, which affected no less than 7381 autonomous systems? Or the numer of TLD outages of the last six months, incluidng inter alia .is, .mm, .bw, .az, .kia, .epson, .nec, ...? If you are thinking about deploying DNSsec, my best advice would be “don't do it”. Instead, make your best to convince the ignoramus at ICANN to review their posture about mandatory DNSsec implementation for registrars. Central authorities can’t solve the Internet trust problem. Central authorities ARE the Internet trust problem. Since I started with a quote, it seems adequate to finish with another one, from Alex Stamos [4]: “DNSSEC is dead. It's over. I'm just telling you now it's over. Don't put any of your future stock on DANE or any security solutions that are based on DNSSEC. It's done.” Regards from the Far South, Enrique [1] https://www.ietf.org/mail-archive/web/dnsop/current/msg13711.html [2] And not well engineered even for those ‘romantic’ times [3] DNSSEC’s job is to replace the TLS CA system by DANE. No meaningful security feature can rely on the trustworthiness of the CA system, and the recent BlueCoat ‘incident’ shows how broken it is. There's no doubt the X.509 TLS CA's infrastructure does need to be replaced, but I can't imagine a worse replacement than DANE. [4] https://youtu.be/-1kZMn1RueI