Republicans are at the top and good at messaging to the bottom (but they rarely actually help the bottom).
Democrats are just bad all around, bad at messaging and bad at achieving things, but at least they mostly don't make things worse, and people with enough time invested in understanding politics (a minority of people) see that. When things do get worse and Democrats are in charge, Republican messaging is effective at convincing people it's the Democrats' fault (which it kinda is because they did nothing to stop it, and kinda isn't because they did nothing to cause it, and in any case the Republicans are even worse but good at saying they're not).
They're being contrarian and pedantic for the sake of being contrarian and pedantic. No, DNSSEC doesn't protect anything the user cares about because it protects IP addresses and the user doesn't care about IP addresses. Yes, DNSSEC protects the user because it blocks one vector by which they can be redirected to a phishing site.
You're all over this thread and every other DNS thread, even the ones that don't have much to do with DNSSEC, constantly complaining about DNSSEC. Why?
Last time you were arguing DNSSEC wouldn't solve BGP hijacks because whoever was hijacking the DNS server would just hijack the web server instead.
I archive linked it because you’re in this thread, and you operate that site. I’m removing any conflict of interest by posting it as an archive. I even used IA just to remove any hint of bias I suppose. I don’t want you doing timing attacks against me for posting it here now, or against those who may visit it later, nor do I want you to poison my DNS! I don’t even know enough about these exploits to know if it’s technically possible, but I know that you almost certainly do! I don’t think you would do this, but you’re in a position to do so.
I did not mean it as a slight by doing so. I meant it as an acknowledgment of the sensitive nature of these issues, and part of my work as an amateur journalist and archivist. I say amateur because I do not do this work for personal benefit or gain, but because I like researching and learning myself, and I don’t believe in putting a light I also read by under a bushel.
While searching for your post on archive.today or whatever their name is, I saw that it had also been archived without a trailing “/“ which redirects to the one with a trailing slash, so depending on how I parse what you said and how you originally posted it and how the redirect is implemented, I could see how that statement might be ambiguous but that kind of thing might be handled by your webserver software. I don’t think that it’s worth mentioning, but you did say it’s always been at that URL, which I don’t dispute. I’ve never known it to be at any other URL.
As an amateur correspondent myself, the correspondents I’m concerned about doing right by would be other visitors to their site who click my link. I’m protecting link-clickers from my source, and my source from others. In this case, I’d view 'tptacek as both as my source, and as a potential operational security concern to me as an investigator due to not knowing them well enough to know their motives, and not knowing who is watching them and everyone who visits their site, which is the larger and more legitimate concern about doing security research, in my view.
I'm just giving you shit. Thanks for posting it. You're not wrong: I have longstanding strong feelings (much further back than that post) about DNSSEC, both because I had to implement it, and because I remember it being used as an excuse not to randomize DNS requests. Also: I tilt at a lot of windmills, and this particular evil giant is on the verge of collapsing!
I think there's a lot of reasons why DNSSEC is moribund. It was a necessary accompaniment to IPSEC back in the mid-1990s when everybody assumed we'd be all v6 all IPSEC by 2000. Then Kashpureff's bailiwick attack happened, and we got this:
... but the bailiwick caching behavior was a straight-up bug, and rand(3) was enough to make QID spoofing more annoying to exploit than it was worth. Something like 5 years later we had the birthday attack, but I don't recall anybody taking it especially seriously --- maybe because at roughly the same time, DNSSEC was going through the "typecode roll" that took us from DNSSEC to DNSSECbis, and nobody was confident about pushing DNSSEC at that point; the TLDs weren't even signed.
Then 5 years after that we got Kaminsky. There's a spark of interest in DNSSEC after that... but all the vendors who hadn't already adopted DJB's randomization immediately did, and Kaminsky's attack stopped mattering.
By this point I think it was clear to everybody that protecting transactions wasn't going to be the motivating use case for DNSSEC, so people shifted to DANE: using DNSSEC as a global PKI to replace the X.509 certificate authorities. But DANE flat-out never worked; you couldn't deploy it in a way that was resilient against downgrades, so there was simply no point.
Then Google and Mozilla killed several of the largest CAs, and used their market power to force CT on the remaining (and thoroughly cowed) CAs. And LetsEncrypt happened. So modern concern over replacing the X.509 CAs registers somewhere in seriousness alongside Linux on the Desktop.
People try to come up with increasingly exotic reasons why we'll be forced to use DNSSEC with the WebPKI; it's not so much DANE anymore as it is resilience against BGP attacks and validation of ACME DNS challenges. It's all pretty unserious.
Meanwhile: unlike DNSSEC, which has seen only marginal adoption over 30 years, DoH has caught fire. Within the next 5 years, it's not unlikely that we'll come up with some deployment scenario whereby CAs can use DoH to secure lookups all the way to authority servers. We'll see. It's a lot more likely than a global deployment of DNSSEC.
There's just no reason for it to exist anymore.
I have a lot more reasons than this not to like DNSSEC --- I actively dislike it as a protocol and as a cryptosystem. But those are just my takes, and what I've related in this comment is I think pretty much objectively verifiable.
Democrats are just bad all around, bad at messaging and bad at achieving things, but at least they mostly don't make things worse, and people with enough time invested in understanding politics (a minority of people) see that. When things do get worse and Democrats are in charge, Republican messaging is effective at convincing people it's the Democrats' fault (which it kinda is because they did nothing to stop it, and kinda isn't because they did nothing to cause it, and in any case the Republicans are even worse but good at saying they're not).