- DNSSEC enables and facilitates reflected DoS attacks by amplifying attackers' bandwidth;
- Using DNSSEC allows anyone to enumerate any of the zones of your subdomain, effectively turning on public DNS transfers for anyone who asks (see the paper for attacks against NSEC and NSEC3);
- DNSSEC enables and facilitates reflected DoS attacks by amplifying attackers' bandwidth;
That's a problem today, without DNSSEC, and requires fixing regardless, whether or not DNSSEC becomes wide-spread.
- Using DNSSEC allows anyone to enumerate any of the zones of your subdomain, effectively turning on public DNS transfers for anyone who asks (see the paper for attacks against NSEC and NSEC3);
I thought NSEC3 fixed that, but I wouldn't be surprised if there were attacks against it. I don't think that's an insurmountable problem.
Chicken and egg. shrug There's no reason an OS can't come with such a resolver built in. Personally I take the 60 seconds or so required to do an "apt-get install unbound" to get this functionality whenever I build a system.
In brief,
- DNSSEC enables and facilitates reflected DoS attacks by amplifying attackers' bandwidth;
- Using DNSSEC allows anyone to enumerate any of the zones of your subdomain, effectively turning on public DNS transfers for anyone who asks (see the paper for attacks against NSEC and NSEC3);
- Most importantly, no common resolver validates or enforces the validity of DNSSEC records. Chromium closed the pull request as WontFix: https://code.google.com/p/chromium/issues/detail?id=50874 and Mozilla have no current plans to implement it: https://bugzilla.mozilla.org/show_bug.cgi?id=672600