
Failing to secure DNS is 'savage ignorance': Geoff Huston - baha_man
https://www.zdnet.com/article/failing-to-secure-dns-is-savage-ignorance-geoff-huston/
======
belorn
In order to get DNSSEC to work you need to have the DNS server updating the
registry. If you are a registrar then you _only_ need to implement the
practically unique way each registry does this (because following the EPP
standard is not even close to universal, or even the majority). If you are
instead a registrant then you've got to follow whatever unique API your
registrar has provided to do this.

If you have a few hundred domains spread out over several registrars for
several different top level domains, what you have is a nice mess that you
have to create a custom solution to on top of just getting the DNS software to
do the signing, rolling the key, watch for the key to go live at the registry,
and so on.

Naturally if you have a domain and your registrar is also your DNS provider,
then getting DNSSEC is easy. Just switch to one that will do it.

