Jeroen Massar via NANOG <nanog@nanog.org> writes:
No, not even kidding. For many organisations DNSSEC is 'scary' and a burden as it feels 'fragile' for them.
Unfortunately, yes. And those of us who use it know that this is a myth. With modern software, DNSSEC is quick and easy to set up, and works just fine, with no reason for any problems. The effort invested is a very low price to pay for the added protection, both directly (by making sure that spoofing attacks &c make resolving fail noticeably), and through the various added mechanisms you can then apply, such as CAA records.
And replacing a DNS key can take a few moments, especially with caching of records etc. Thus downtime is then ensured.
Not if you do it right. Add the new key, wait a while, then remove the old key. On installations I manage, this is scripted, and done from cron, rotating ZSKs on a monthly basis.
Combine that with many shops not having much DNS knowledge in the first place, they won't easily get their heads around that barrier.
Now that's a real problem. If you're going to do X, you should have someone on staff who knows enough about X to do it right, safely. -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay