> Oh, and if you're not using a validating resolver yourself you're also trusting that you're ISP is using one and not manipulating the responses.
I really don't understand why people keep repeating that complaint. Of course, if you don't check the keys you don't get any security.
How is that a problem of the algorithm? And how is that a problem on practice? If you want some real amount of security you check the keys, being them SSL certificates, DNSSEC signatures, or whatever else encryption system people put on place.
You're speaking from the perspective of somebody who could set this up for himself. "Normal" people don't know stuff like this, but we can't leave them unprotected.
That's why DANE for mailserver is such an attractive target. They're usually run by people who know what they're doing and it helps bring a lot of infrastructure into place.
The point is that there's nothing for normal people to setup (or, at least, it does not have to be). Your email software should verify DANE keys, just like your browser verifies TLS keys.
The fact that current software is hard of configure is just a symptom that it's badly designed. The only inherently hard thing in DNSSEC is distributing your domain data (not really harder than setting our server for TLS), and normal people do not do that.
I really don't understand why people keep repeating that complaint. Of course, if you don't check the keys you don't get any security.
How is that a problem of the algorithm? And how is that a problem on practice? If you want some real amount of security you check the keys, being them SSL certificates, DNSSEC signatures, or whatever else encryption system people put on place.