1. DNSSEC is effectively dead‑beat in practice
- “DNSSEC penetration in the top 1000 is single digits % … I’ve seen just three Tranco Top 1000 domains change their DNSSEC state” – tptacek
- “DNSSEC is moribund.” – tptacek
- “DNSSEC mistakes take your entire domain off the Internet, as if it had never existed.” – tptacek
2. The industry has only just begun to enforce DNSSEC, and the incentive is weak
- “No CA requires DNSSEC.” – tptacek
- “CAs are now required to honor DNSSEC, where they weren’t before.” – tptacek
- “CAs want to sell you certificates, browsers compete on their support for those certificates.” – throwway120385
3. The security benefits are outweighed by operational risk and downtime
- “DNSSEC adds an expiring, rotating key change regime … If you screw it up, the screwup is cached everywhere.” – tptacek
- “DNSSEC is a key‑escrow system.” – tptacek
- “DNSSEC is a key‑escrow system” (repeatedly cited as a major drawback) – tptacek
These three themes—low adoption, weak enforcement, and high operational cost—drive the debate over whether DNSSEC should be pushed forward or abandoned.