Perhaps we can reach out to Michele and see where this is on their
agenda? Shall I do so? Do other people share this concern?
Cheers,
Niels
On 05/27/2016 02:38 PM, James Gannon wrote:
> Agreed, so do I see you volunteering to lead this effort? =)
> Happy to assist/help out where I can!
>
> -JG
>
>
>
> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>
>> Hi Rafik,
>>
>> The DNSSEC for Everybody is great and fun, but it's more a very rough
>> 101. The DNSSEC workshop is also great, but it doesn't help you when you
>> are behind a production terminal. Good documentation is needed. Or we
>> need to find out better why adoption levels are so low.
>>
>> Is this something we can bring up?
>>
>> I think this is especially an issue for the NCSG because NGO's,
>> activists and individual users will greatly benefit from increased
>> trust, and more protection against DNS poisoining. With the enormous
>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5
>> million domains) DNSSEC is the next logical step, and adoption is still
>> _very_ low.
>>
>> Cheers,
>>
>> Niels
>>
>>
>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:
>>> Hi Niels,
>>>
>>> ICANN organizes regularly for many years now in each ICANN meeting 2
>>> DNSSec sessions related:
>>>
>>> * DNSSEC Workshop
>>> * DNSSEC for Everybody: A Beginner's Guide
>>>
>>> there are also also DNSSec session during conferences like African
>>> Internet Summit (https://internetsummitafrica.org/programme/agenda),
>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum
>>> . my understanding is that ICANN tech team helped some ccTLD
>>> operators http://dnssec-africa.org/
>>>
>>> I don't think there are specific activities toward registrars per se.
>>>
>>> Best,
>>>
>>> Rafik
>>>
>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]
>>> <mailto:[log in to unmask]>>:
>>>
>>> Hi James,
>>>
>>> On 05/26/2016 12:12 PM, James Gannon wrote:
>>> > No sorry what are the specific issues, i.e. In understanding the KSK
>>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting
>>> > companies really not understand it?
>>> >
>>> > Because there is a large amount of documentation out there for
>>> > example on configuring DNSSEC in Bind and while yes deploying at
>>> > scale is a risk that registrars would need to analysise and take an
>>> > internal risk position on Im not sure I understand the ‘even the most
>>> > experienced engineers don’t understand it’ part of the question.
>>> >
>>> > The rest I do for sure, adoption of DNSSEC is a big topic, but there
>>> > is huge amount son work going on in both ICANN and ISOC supporting
>>> > registrars who wish to move down that path in a stable and secure
>>> > path. ISOC has documentation specifically targeting at registrars
>>> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
>>> > I know the RrSG has done some work for ones that are involved in
>>> > that, there is also Deplay360 from ISOC
>>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
>>> > community support behind it from a technical perspective for those
>>> > interested.
>>> >
>>>
>>> Have been clicking through the ISOC site, but I cannot find a proper
>>> how-to or documentation for an indepdendent registrar anywhere.
>>>
>>> I think we should push harder for DNSSEC adoption, and ICANN can and
>>> should play a role in this imho, why would it be more of an ISOC task
>>> than a ICANN task?
>>>
>>>
>>> > My question would be what is the thing that needs to be done to
>>> > promote adoption, and from what I have seen so far its usually risk
>>> > aversion on the business side, and that’s not something that we can
>>> > do much about from the ICANN side of things, something I feel ISOC
>>> > should focus on more tho.
>>>
>>> Business aversion is also because it's hard, and thus will cost more
>>> time. Also: more risk because it might break. This does not balance well
>>> with the increased trust gained with DNSSEC. We can help tip this scale
>>> by making implementation easier through good documentation, no? Looks
>>> like an ICANN task par excellence to me!
>>>
>>> Cheers,
>>>
>>> Niels
>>>
>>>
>>> >
>>> > -J
>>> >
>>> >
>>> >
>>> >
>>> > On 26/05/2016, 11:03, "Niels ten Oever"
>>> <[log in to unmask] <mailto:[log in to unmask]>>
>>> > wrote:
>>> >
>>> >> Do you mean you would like to hear names of registrars that are
>>> >> not offering DNSSEC ? Am afraid it is the majority of the SME
>>> >> registrars / hosting providers.
>>> >>
>>> >> Cheers,
>>> >>
>>> >> Niels
>>> >>
>>> >> On 05/26/2016 11:57 AM, James Gannon wrote:
>>> >>> Have you got any specific examples?
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
>>> >>> <[log in to unmask]
>>> <mailto:[log in to unmask]> on behalf of
>>> >>> [log in to unmask]
>>> <mailto:[log in to unmask]>> wrote:
>>> >>>
>>> >>>> Hi all,
>>> >>>>
>>> >>>> I have been talking to several registrars (especially smaller
>>> >>>> ones that provide a lot of support to NGOs), that do not
>>> >>>> provide DNSSEC yet as part of their service.
>>> >>>>
>>> >>>> The story that I keep on hearing is that even the most
>>> >>>> experienced engineers have issues with understanding the
>>> >>>> configuration of the KSK and Zone signing keys and the key
>>> >>>> rollover, inconsistencies in documentation and therefore lack
>>> >>>> of adoption, because in case of a mistake this might seriously
>>> >>>> impact the production environment.
>>> >>>>
>>> >>>> I think the adoption of DNSSEC is an issue we should care about
>>> >>>> because it has the potential to radically increase trust in the
>>> >>>> DNS system.
>>> >>>>
>>> >>>> Is this an issue you all recognize, and do you know how / if
>>> >>>> ICANN makes (or can make) this easier?
>>> >>>>
>>> >>>> Best,
>>> >>>>
>>> >>>> Niels
>>> >>>>
>>> >>>>
>>> >>>> -- Niels ten Oever Head of Digital
>>> >>>>
>>> >>>> Article 19 www.article19.org <http://www.article19.org>
>>> >>>>
>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>> >>>> 68E9
>>> >>>>
>>> >>
>>> >> -- Niels ten Oever Head of Digital
>>> >>
>>> >> Article 19 www.article19.org <http://www.article19.org>
>>> >>
>>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>> >> 68E9
>>>
>>> --
>>> Niels ten Oever
>>> Head of Digital
>>>
>>> Article 19
>>> www.article19.org <http://www.article19.org>
>>>
>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
>>> 678B 08B5 A0F2 636D 68E9
>>>
>>>
>>
>> --
>> Niels ten Oever
>> Head of Digital
>>
>> Article 19
>> www.article19.org
>>
>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
>> 678B 08B5 A0F2 636D 68E9
--
Niels ten Oever
Head of Digital
Article 19
www.article19.org
PGP fingerprint 8D9F C567 BEE4 A431 56C4
678B 08B5 A0F2 636D 68E9
|