Anyone who really knows anything about DNS at all can tell you that DNSSEC is garbage trash that doesn't deliver what it supposedly promises to, hasn't protected (and won't) anyone from the types of cache poisoning or the Kaminsky flaw and others that BIND seems to always be vulnerable to, and that that damage from DNS amplification attacks is actually exacerbated and "
amplified' when DNSSEC is enabled.
DNSCurve = Good, DNSSEC = BAD BAD BAD (And no, I'm not a Bernstein fanboi and I don't like
djbdns, but I do agree with him that
CNAME RRs are almost always stupid and lame - use a fricken' A record!).
In fact, DNSSEC is about taking away choice and freedom, a product resulting from nefarious and insidious agendas endeared by Paul Vixie, Verisign, the Evil ICANN,
WIPO, and others with something to gain at
your expense, while the DoC and the
NTIA push about paper from one desk to the next saying, What, me worry?"
Another point of fact, the only real two Auth DNS Servers out there that have implemented DNSSEC are BIND and
Unbound, and only
Unbound did a good job IMNSHO. BIND still has proven to be a hole as big as a truck while most of the other daemons out there like
PowerDNS or
MaraDNS/Deadwood are as secure as a 600 pound danforth anchoring a 6 foot dinghy.
DNSSEC is like a 600 pound gorilla jumping up and down in that dinghy.
