
TLD DNSSEC Report - thanksforfish
http://stats.research.icann.org/dns/tld_report/archive/20200428.000101.html
======
thanksforfish
Posting as a reminder that DNSSEC rollout to the top level domains (TLDs) is
still incomplete. Without DNSSEC, DNS is spoofable.

Further DNSSEC rollout to non-TLD DNS servers is also incomplete. DNS spoofing
is still possible in 2020.

[PDF, 2008] [https://www.iana.org/about/presentations/davies-viareggio-
en...](https://www.iana.org/about/presentations/davies-viareggio-
entropyvuln-081002.pdf)

~~~
tptacek
_With_ DNSSEC, the DNS is spoofable. The two most common spoofing modalities
in practice are LAN-style spoofing (airport and coffee shop wireless) and
registrar ATO, both of which DNSSEC doesn't touch. Ironically, the former
spoofing modality is directly addressed by DoH (or DoT, if you trust your
network operator) and doesn't require coordinated or universal deployment.

There's a reason fewer than 2% of all .COM domains are signed; it's because
DNSSEC is moribund.

