DNSSEC is, unsurprisingly, designed to secure DNS only. It only tells you that the answer you received is authentic. DNSSEC would prevent a DNS server being hijacked via BGP being evil in that it couldn't give bad answers.
It however doesn't typically help in a BGP hijack. The DNS answer is authentic, but the server at the answer given isn't.
As tptacek will tell you, there's never any situation where DNSSEC would help. For instance, it doesn't mean your own DNS lookups to 1.1.1.1 are secure, but it does mean Libya is a CA for bit.ly.
Although trying to turn it on did take Slack and HBO down in the past, so someone out there cares.
Never helps. Causes outages. Route all your DNS through 1.1.1.1 or 8.8.8.8 instead. Sheesh. In Ancient Rome, weren't dictators expected to vacate office once their task had been accomplished and decentralized solutions were ready to once again take hold? Why is it that I always feel the heat whenever I voice words of support for DNSSEC?
DNSSEC worked mostly fine for Slack, except that their DNS provider, Route 53, initially had a bug where wildcard records on DNSSEC would not get correctly signed. It was when Slack panicked and tried to turn off DNSSEC when they completely bungled it and borked their whole setup.
This is the funniest apology for DNSSEC I've ever read. It's fine, as long as you never try to turn it off! Or use Route53! Don't do that, or your whole site will fall off the Internet for a day. Got it!
As a well-known person on HN, that amount of snark is unbecoming of you. FWIW, you can bork your own system just as much, if not even more so, with HSTS headers. And also with DNS in general; how many people have mucked up a DNS setting and then have no recourse but to wait it out? The issue was not DNSSEC, but Slack who panicked and pulled the plug on themselves.
It's not snark if you're mocking the person you're talking to. That's just disrespect. Maybe he's had bad experiences in the past with DNSSEC that are causing him to forget himself. I feel like he's been talking down to me too.
Read it again. I'm not "mocking the person I'm talking to". I don't even know the person I'm talking to. I'm mocking the statement they made, that DNSSEC is fine, and when it blows your whole site off the Internet because you dared turn it off after it immediately caused problems the moment it was turned on, well, you were just holding it wrong. It really is funny! Read their comment again, too!
I suppose I could be less snarky, but my snark here is substantive, and I'm comfortable with what it says about my seriousness. You're going to have to do better than trying to work the refs here.
