We go through every place that 4-byte IPv4 addresses appear, and allow 16-byte IPv6 addresses in the same place. Isn't it the same deal for DNS?
Actually, I don't think so. The intermediate state on the upgrade path for DNSSEC is infinitely easier than for IPv6, which is what DJB seems to be pointing out.
Of course, in many circumstances the real security benefits are not obtained as long as the attacker can simply strip off the DNSSEC information and downgrade the client back to 'compatible mode'. But this seems to be an inherent difficulty in strengthening authentication in any diverse ecosystem of endpoints.
You're right that unlike IPv6, DNSSEC does not require a unanimous "flag day" upgrade. And you're right that that's relevant. Partly, this is because by design, DNSSEC only protects DNSSEC servers; the path between a modern browser and the DNS server configured by DHCP is not protected by DNSSEC.
At the risk of bucketing myself as a crackpot: I'm actually not a big fan of IPv6 either. I don't believe that in 50 years anyone is going to care what an IP address is; we'll have long since built new overlays on top of whatever transports we come up with, and IP will be an archeological curiosity.
The network should be dumb; it's the endpoints that need to be smart.
I agree completely about the dumb network. Security, in particular, lives in the endpoints.
But still, net-boot BIOSes and BOOTP/DHCP protocols have been around since 1985 (RFC 951). They show no signs of going away. Possibly the problem of bootstrapping the configuration and security relationships will be with us as long as there are security boundaries on the networks.
And there will be security boundaries on networks as long as there are mediated boundaries in the real world.
Actually, I don't think so. The intermediate state on the upgrade path for DNSSEC is infinitely easier than for IPv6, which is what DJB seems to be pointing out.
Of course, in many circumstances the real security benefits are not obtained as long as the attacker can simply strip off the DNSSEC information and downgrade the client back to 'compatible mode'. But this seems to be an inherent difficulty in strengthening authentication in any diverse ecosystem of endpoints.