The main complaints I've heard about DNSSEC are that it isn't widely enough used yet, and we all have to trust ICANN. The first is a chicken & egg problem affecting all new network technology. As the second, nothing to prevent local admins installing a different root zone provider trust anchor if they don't trust ICANN not to mis-sign a TLD that matters to them. In practice technologies such as convergence designed to fix the current CA problem are likely to be more effective if and when used for holding significant DNSSEC signing authorities to account.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds