"I feel like I must have plateued and don't know what to do next to level up."
Go out for a walk. Wherever you live, there will be a destination or an environment that will enrich your life just by visiting it. Go and take a look at it or experience it and then go back to worrying about tokens.
That article kicks off with a politically motivated "issue" which seems pointed at the US Govt (USG) before dealing with perceived architectural issues.
The thing about trust anchors is that they are trust anchors and not a back door. DNSSEC goes well out of its way too, to not screw up things as far as possible if something is missing. OK, client implementations do that (I haven't gone into the RFCs in too much detail).
The architectural issues alluded to seem pretty handwavy too. I deployed a slack handful of PowerDNS boxes and adding DNSSEC is basically two CLI invocations per domain and passing on the DS records to upstream. The second invocation is to add an adjustment to deal with NXDOMAIN better (can't remember the exact thing at the moment)
If it doesn't work for you then fine - don't use it!
I find it useful and thanks to a decent implementation (so far) it is trivial to implement. However, I'm going to need to get my thinking cap on for some split-horizon domains.
It doesn't work for most sites, which is why so few organizations use it. It's awfully hard to make an argument about how straightforward DNSSEC is to use after DNSSEC had to be disabled by Cloudflare and Quad9 for all of Germany because of a misconfiguration. And it's more or less impossible to take seriously as a security boundary after that. Real security protocols fail closed.
A fuck up or two doesn't invalidate DNSSEC. IT related security is hard, really hard as you well know, but not impossible nor likely perfect and always a moving target.
Putting security on top of DNS is really, really hard because DNS was invented rather a long time ago when information wanted to be free and not fettered and I wore short trousers at school and in the distant future would run an IBM System /36!
When you confidently insist on "most sites" you appear to want to rudely trample on my experience of "it works for me and my 20 at the moment DNS domains and increasing as I migrate them over". I'm taking my time - I have quite a few more to do and each one needs adding to monitoring etc.
I don't run .de and I do feel for the lads n lasses that do that buggered up a KSK roll over or whatever it was that was screwed. I think that holding up a screw up is an extremely crass and facile argument against ... anything, let alone a rather esoteric engineering function.
I don't agree with your assertion about "Real security protocols fail closed." That sounds like striving for perfection and you know as well as I do that perfect is the enemy of good.
DNSSEC for better or worse is what we have and I don't think it is too bad. It does give some guarantees within certain parameters. Any decent engineer will look at the risks/rewards and decide on effectiveness and design their solutions to a requirement ... accordingly.
I came to this thread with data. Your 20-at-the-moment DNS domains versus the current signing statistics of the Tranco Top 1000.
At the point where we're arguing about fail-open versus fail-closed, our premises are too far apart to get anywhere. We can part company here: I'm speaking, in part, for the people who believe that any viable security protocol must fail closed.
Plenty of security protocols have ultimately failed in the marketplace and been abandoned. DNSSEC is simply another one of them.
People have been trying to make DNSSEC a thing since 1995. Even when "most websites" didn't use TLS, basically all of ecommerce did: TLS has been load-bearing since the 1990s. Meanwhile, here in 2026, it is literally true that if the root keys landed on Pastebin tonight, almost nobody would need to be paged.
Email is just like physical mail and thankfully just as endearingly human (sometimes).
Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.
Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:
Graham and Heath
BFPO 40
My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).
The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.
I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.
That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!
When I was a child I sent a postcard to my grandparents. I forgot to put the house number and addressed the letter to "Oma und Opa" (Grandma and Grandpa). Logically it should not have been delivered successfully.
Thankfully though, the postal worker knew my grandparents had grandchildren and therefore just asked the potential recipients for the name of their grandchildren to determine, which grandparents the postcard was addressed to. To me it's still a miracle that it got delivered at all.
Up until at least the 1970s you could do this with smaller places in Germany. My mother has some old letters with addresses like "$surname, $village near $larger-village, West Germany". I assume it was routed to $larger-village, they passed it on to $village, and everyone there knows everyone else so the postie dropped it off the next day.
Bill Bryson claimed to have received a letter addressed to ‘Bill Bryson, Writer, Yorkshire’.
I have some cousins who live in a small town in Australia where the houses have neither names nor numbers. You just address the envelope to ‘<name>, <street>, <town>’, and it’s the postie’s responsibility to know where everyone lives. (‘Postie’ is the official job title in Australia Post because it’s gender-neutral.)
I lived in mildly rural NZ back in the day and it was the same, addresses were "name, street, RD# (rural delivery route number), town" and your mailbox had your name on the side (and a flag you could put up if you wanted mail collected.)
Some time roughly mid-nineties we got numbers but originally they were just for emergency services, only later were they also for post, but I seem to recall the whole rural delivery system may have changed somehow around then too.
RD addresses are still the same. Downside is you have to pay extra for rural delivery because the posties get danger money for avoiding the sheep-eating wetas.
Until 2025 Carmel-by-the-Sea in California had no street addresses. The houses have names or you just have to know who lives in which building. They also didn't have postal delivery, they all had to go to the town post office and pick up their mail.
git itself is decentralised - all repos are equal. Mr T designed it that way because ... well that's all that was needed for Linux kernel development back in the day and it still seems to work. The management stuff can be managed quite well via email and some choice socials. Obviously that nonsense cannot possibly scale to the size of your enterprise thingies!
Yet again we have a better Big Brother than Big Brother ... this time with Rust, yum!
I applied for about 50+ jobs as a graduate engineer in 1991. Back then you wrote letters. Hmmm: You printed letters - mail merge was a thing.
You signed each one by hand, with a quill pen and used a wax seal and cast a Spell of Engagement.
OK, you signed your covering letter with a pen (might be a Biro but I did use a Parker and Quink, myself) You also had to put your covering letter and curriculum vitae (CV == resume) in an envelope and pop a stamp on it (2nd class) and post it. None of that Linked In bollocks.
Your covering letter would be bespoke to the company approached. You did some research and mentioned something pertinent.
"So your engineers spend a half day installing that in a VM and debugging it, but the problem is in upstream somewhere."
So get to grips with "upstream"! Managing upset "opinionated" and "entitled" users is par for the course anywhere. Have a look at how Veeam do it, for example.
Obviously that sort of compatibility nonsense never happens in say Windows (fairly popular OS).
Let's take a quick look at say web proxies. Proxies are quite popular in corporate environments but blow me if Windows and vendors who use it make it as hard as possible to deal with:
You might think group policy would sort it all out - lol! You have loads of elderly policies relating to IE (several versions) hanging around smelling rather fishy and mildly useful if you have older Windows hanging around. You can use GPOs to fix the following but it will be Preferences and involve a bit of ingenuity.
You have .Net Framework apps - eg AD Sync (Entra, Smentra whatever its called today). That will need you to fiddle with a specific XML file.
winhttp api? Powershell. OK you have two sets of settings here: proxy and advproxy. proxy has string properties that you set and is a bit crap and advproxy has a JSON flavour and is a bit shit. advproxy seems to ignore anything in the ignore list apart from or exclusively <local>. At least advproxy allows you to fall back on a proxy.pac file (which IE decided to call wpad.dat and who can forget an IE5 version that called it WPAD.DA?)
Picking on Linux users is disingenuous - all OSs can be customized to the point of tricky to support and besides who on earth is Twitter?
reply