I, humbly, consider myself pretty conversant in the basics of (modern and classical) cryptography and information security.
For most of my career, I've been mystified as to what problem #DNSSEC purports to solve.
Has there ever been a case of a DNS-based attack (spoofing, hijacking, transfer, DDoS, etc) that's been thwarted by DNSSEC? Or, in the reverse, has there been an attack that was successful that DNSSEC would have solved?
I don't know what it is, but the upsides of DNSSEC just hasn't clicked in my brain.
Seirdy
in reply to Tod Beardsley 🏴☠️ • • •Anton
in reply to Seirdy • • •Let's Encrypt uses multiple locations in different networks, so you'd have to tamper with more than one DNS resolver/network, but with DNSSEC you get the ability to trust the data in DNS as well.
MTA-STS does not require DNSSEC. Instead, it relies on TLS certificate validation for providing the trust.
Seirdy
in reply to Anton • • •