Consider disabling DNSSEC?
Posted: Sun Feb 23, 2020 12:06 pm
Hi,
DNSSEC has fallen out of favor recently. It's no longer a recommended standard for federal websites. It has not gained adoption in mainstream browsers. It's also a usability nightmare since you can't show anything to the user when resolution fails. This argument has been made in depth by eg. https://sockpuppet.org/blog/2015/01/15/against-dnssec/ or https://www.imperialviolet.org/2015/01/17/notdane.html.
I was wondering if you would consider disabling DNSSEC on the Sonic.net DNS resolvers. This might simplify the configuration, and make those servers more robust.
Thanks,
Kevin
DNSSEC has fallen out of favor recently. It's no longer a recommended standard for federal websites. It has not gained adoption in mainstream browsers. It's also a usability nightmare since you can't show anything to the user when resolution fails. This argument has been made in depth by eg. https://sockpuppet.org/blog/2015/01/15/against-dnssec/ or https://www.imperialviolet.org/2015/01/17/notdane.html.
I was wondering if you would consider disabling DNSSEC on the Sonic.net DNS resolvers. This might simplify the configuration, and make those servers more robust.
Thanks,
Kevin