> I really don't understand why the existence of software that doesn't try to take advantage of DNSSEC is being used as evidence that DNSSEC is incapable of doing something.
It's not that DNSSEC is fundamentally "incapable" of doing this, but that it's literally not what the protocol is designed to do. As noted in the other HN thread on this announcement, the DNSSEC protocol is explicitly not designed for end-user verification, and end-users are discouraged from running their own valdiators. There's a reason that browsers don't support this out-of-the-box and (more importantly) don't ever plan on it.
If you're concerned about people snooping on your TCP packets, DNSSEC doesn't solve that. If you're concerned about people spoofing DNS responses, DNSSEC doesn't solve that[0]. TLS + HSTS does solve that, by making it impossible to load a forged page, regardless of what DNS records were returned[1].
Again, TLS solves all the problems you describe (including the problem of ISPs redirecting mistyped pages to their own advertising pages). TLS is also supported by every browser, out-of-the-box. It's more secure, easier to deploy, and already widely used.
[0] Again, as explained in the post, DNSSEC is not designed to protect end-users against malicious ISPs. This is literally a matter of what problems DNSSEC is even aimed at solving.
[1] Notice how http://google.com (not even https://) will never redirect to a captive portal. That's not DNSSEC. That's TLS + HSTS. DNSSEC is redundant in this situation.
> [...] but that it's literally not what the protocol is designed to do.
> the DNSSEC protocol is explicitly not designed for end-user verification
> This is literally a matter of what problems DNSSEC is even aimed at solving.
Repetition doesn't make that argument any more valid. If DNSSEC wasn't intended to have this capability, it's for the same reasons that it wasn't intended to be used for on-the-fly signing: it was designed in the mid-'90s when that was impractical. Nowadays it is practical and it does in fact work just fine for this purpose, and it provides an extra layer of defense in depth and stops some attacks sooner than TLS can and provides some added security to things that aren't using TLS (because remember, there's more to the Internet than just the WWW, and many of those things don't have the aggressive upgrade cycle that Chrome uses).
It's not that DNSSEC is fundamentally "incapable" of doing this, but that it's literally not what the protocol is designed to do. As noted in the other HN thread on this announcement, the DNSSEC protocol is explicitly not designed for end-user verification, and end-users are discouraged from running their own valdiators. There's a reason that browsers don't support this out-of-the-box and (more importantly) don't ever plan on it.
If you're concerned about people snooping on your TCP packets, DNSSEC doesn't solve that. If you're concerned about people spoofing DNS responses, DNSSEC doesn't solve that[0]. TLS + HSTS does solve that, by making it impossible to load a forged page, regardless of what DNS records were returned[1].
Again, TLS solves all the problems you describe (including the problem of ISPs redirecting mistyped pages to their own advertising pages). TLS is also supported by every browser, out-of-the-box. It's more secure, easier to deploy, and already widely used.
[0] Again, as explained in the post, DNSSEC is not designed to protect end-users against malicious ISPs. This is literally a matter of what problems DNSSEC is even aimed at solving.
[1] Notice how http://google.com (not even https://) will never redirect to a captive portal. That's not DNSSEC. That's TLS + HSTS. DNSSEC is redundant in this situation.