[Cryptography] DNSSEC = completely unnecessary?

[Bill Stewart]

At 08:33 PM 11/3/2013, Greg <greg at kinostudios.com> wrote:
>In all my readings on it I kept walking away thinking that I 
>understood its purpose, but I'd then come back at myself with the 
>same question: what does it give us over HTTPS?

SSH isn't HTTPS.  Nor are SFTP, SCP, etc.
IPSEC isn't HTTPS.
Outbound Email isn't HTTPS, even if it's sometimes TLS.
Inbound SMTP often isn't even TLS, but sometimes you want to check 
where it came from.
DNS isn't HTTPS, but sometimes you want to trust it, or if you're Dan 
Kaminsky you might want to tunnel ssh and video over it.
NFS isn't HTTPS, and sometimes you want to use DNS with it.
Printer protocols often aren't HTTPS.

There really are protocols that don't look like HTTP variants, but 
use DNS.  And DNSSEC has theoretically been around a long time, even 
though in practice it got delayed for years and we did SSL/TLS instead.

DNSSEC doesn't protect you against exactly the same threats that 
SSL/TLS CAs do - it does a better job of confirming that you're 
talking to example.com when you think you are.  Some CAs try to do a 
better job of telling you that example.com belongs to The Example 
Corporation, as opposed to examp1e.com (note the numeral "1") which 
belongs to Scammers Inc., but you've got to be good at restricting 
which CAs you believe.