> Without DNSSEC anyone can forge responses. With DNSSEC you limit that to the zone administrator.
Whilst that is an improvement, it is still bad. Specifically, I'd it is not good enough to build a secure system on. There is an argument to be made that it is nice for defense in depth, but it should not be stand-alone security.
There are other practical concerns regarding DNSSEC at the moment with failure handling.
Whilst that is an improvement, it is still bad. Specifically, I'd it is not good enough to build a secure system on. There is an argument to be made that it is nice for defense in depth, but it should not be stand-alone security.
There are other practical concerns regarding DNSSEC at the moment with failure handling.