Ca By wrote:
It’s quite common for DNSSEC to fail at spectacular scale
What’s uncommon? Attacks that DNSSEC is intended to solve.
DNSSEC is considered harmful on the internet
Correct.
The problem is that PKI, in general, does not offer cryptographic
security but just assumes intelligent intermediate entities of CAs,
which are called trusted third parties, are trustworthy, which
is improper social, not cryptographic, assumption as was demonstrated
by a compromised CA of diginotar about 10 years ago.
https://en.wikipedia.org/wiki/DigiNotar
Masataka Ohta
