[LINK] Calling time on DNSSEC?

Calling time on DNSSEC?
 By Geoff Huston on 28 May 2024
 - https://blog.apnic.net/2024/05/28/calling-time-on-dnssec/

"There have been quite a few Internet technologies that have not
 been enthusiastically adopted from the outset. In many cases, the
 technology has been quietly discarded in favour of the next
 innovation, but in some cases, the technology just refuses to go
 away and sits in a protracted state of partial adoption. In some
 cases, this has seen a determinate state so protracted that much of
 the original rationale for the technology has been overtaken by
 events and the case to support adoption needs to be rephrased in
 more recent terms.
 
 IPv6 is a good case in point where the basic architecture of the
 protocol, namely as an end-to-end address-based datagram
 architecture, has become an imperfect fit for a client-server
 network that makes extensive use of replicated service delivery
 platforms.
 
 Today's network is undertaking a transformation to a name-based
 network, and running out of addresses to the extent that it is no
 longer possible to uniquely address every attached client, is no
 longer the catastrophic event that we once thought it would be. We
 appear to have attached some 30B devices in today's Internet, yet
 in terms of IPv4 use, we have achieved this using a little over 3B
 unique IPv4 addresses visible in the routing system.
 
 In this case, I'm referring to secured DNS, or DNSSEC, which has
 been tied up in progressive adoption for some 30 years. Over this
 time, we've seen many theories appear as to why the pace of
 adoption of DNSSEC has been so lacklustre, including a lack of
 awareness, poor tooling, inability to automate operational
 management, too much operational complexity and a general inability
 to sustain a case that the incremental benefits of adoption of
 DNSSEC far outweigh the increased operational costs and added
 service fragility. Because of the lack of clear signals of general
 adoption of DNSSEC over three decades, is it time to acknowledge
 that DNSSEC is just not going anywhere? Is it time to call it a day
 for DNSSEC and just move on?
 
 Now admittedly this is an extreme position, and I admit to
 deliberately being somewhat provocative in asking this question to
 get your attention but there is a grain of an uncomfortable truth
 here. As a collection of service operators, we appear not to care
 sufficiently to invest in supporting the additional costs to
 operate a DNSSEC-secured DNS. After some 30 years of living with a
 largely insecure DNS infrastructure, we appear to be comfortable
 with this outcome.
 
 How have we got to this point?" ...

--
__          __
#_ < |\| |< _#