There's a historic DNSSEC requirement from the USG, which is actually a big chunk of the reason anyone invested in DNSSEC in the early 201x's. But then it got rescinded, but then it stuck in some of the OMB documents, and it's become a weird political football (in the fleeting moments anybody thinks about it) so we're in a weird limbo where every once in awhile teams like Slack turn it on to close some FedGov business and fall off the entire Internet for a half day when DNSSEC eats them.
And from there, it’s more recently worked its way into the minimum mandatory set of requirements in the StateRAMP baseline and the state specific variations such as TX-RAMP and AZ-RAMP.
We’re working with customers who will be subject to DNSSEC requirements due to business with state universities, and we will be trying to make a case with the sponsoring agencies to avoid deploying on their domains.
The Australian government’s offical cybersecurity guidelines recommend - but do not require - Australian government agencies to implement DNSSEC, “where possible” and especially on their “principal domains”. In a competitive procurement, if another vendor says “you want DNSSEC? No problem!”, while you are saying “we don’t support that” or trying to argue against the recommendation - that is unlikely to help in winning the deal. If your product is miles ahead of the competition, it might not matter; if it is close, this might be the thing that loses it.
It's funny how the USG might be conflicted with both an interest in DNSSEC adoption, and an interest in preventing its adoption.
Less than a year ago I was having DNS problems reaching a subnet in the spaceforce.mil domain (via AFRC Desktop Anywhere). After some troubleshooting, I determined that the DNS server for their subnet was not configured for DNSSEC and my client was configured to refuse unauthenticated resolvers. Everything worked fine once I turned off DNSSEC locally.
DNSSEC can prevent spoofing via MITM, which is something that lots of governments do, so I can see why they might not want everyone to adopt it.
On the other hand, DNSSEC can help to secure network communication, so I can see why they might want to adopt it.
> DNSSEC can prevent spoofing via MITM, which is something that lots of governments do, so I can see why they might not want everyone to adopt it.
Only if you're NOT using HTTPS, right? In which case your traffic is already trivially spoofable, so you're not really gaining anything else by using DNSSEC there.
