Back in October 2010, I posted Whither DNSSEC? which speculated on DNSSEC's second act. If the Internet had a fully DNSSEC-secured namespace, we could add email authorization data and SSH fingerprints to DNS. Two commenters, Chris Angelico and John Speno, suggested storing web site certificates and certs for signing applets in DNS, too.

Either Chris and John were remarkably prescient or they knew about the work being done in the IETF's DANE Working Group. DANE would store web site certificates in records in DNSSEC-signed zones, allowing web site administrators to generate and sign certificates themselves, without the need for a Certification Authority.

A more recent effort to capitalize on the utility of DNSSEC-secured zones is ROVER, BGP Route Origin VERification. ROVER uses DNS to publish route origin information in the reverse-mapping namespace (e.g., in-addr.arpa). Two new DNS record types would allow administrators to specify BGP route filters. (There have been other efforts to secure BGP, such as RPKI, but none have taken off yet.)

There are so many other possible applications of a signed, secured namespace, and they address so many long-standing weaknesses in Internet protocols. Surely achieving this must be worth the pain of implementing DNSSEC.