I don't think we need a training session, but the registrars and hosting
providers :)
On 05/27/2016 03:05 PM, farzaneh badii wrote:
> We can invite Patrik Falstrom and have a training session.
>
> On 27 May 2016 at 14:56, James Gannon <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> I like that idea. Lets try and gather some info before Helsinki and
> see if this is something we need to put time into and where our time
> is best spent.
>
> -jg
>
>
>
>
> On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> >Perhaps we can reach out to Michele and see where this is on their
> >agenda? Shall I do so? Do other people share this concern?
> >
> >Cheers,
> >
> >Niels
> >
> >On 05/27/2016 02:38 PM, James Gannon wrote:
> >> Agreed, so do I see you volunteering to lead this effort? =)
> >> Happy to assist/help out where I can!
> >>
> >> -JG
> >>
> >>
> >>
> >> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever"
> <[log in to unmask]
> <mailto:[log in to unmask]> on behalf of
> [log in to unmask] <mailto:[log in to unmask]>> wrote:
> >>
> >>> Hi Rafik,
> >>>
> >>> The DNSSEC for Everybody is great and fun, but it's more a very
> rough
> >>> 101. The DNSSEC workshop is also great, but it doesn't help you
> when you
> >>> are behind a production terminal. Good documentation is needed.
> Or we
> >>> need to find out better why adoption levels are so low.
> >>>
> >>> Is this something we can bring up?
> >>>
> >>> I think this is especially an issue for the NCSG because NGO's,
> >>> activists and individual users will greatly benefit from increased
> >>> trust, and more protection against DNS poisoining. With the enormous
> >>> success of Let's Encrypt (1 milltion certs distributed, covering
> >2.5
> >>> million domains) DNSSEC is the next logical step, and adoption
> is still
> >>> _very_ low.
> >>>
> >>> Cheers,
> >>>
> >>> Niels
> >>>
> >>>
> >>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:
> >>>> Hi Niels,
> >>>>
> >>>> ICANN organizes regularly for many years now in each ICANN
> meeting 2
> >>>> DNSSec sessions related:
> >>>>
> >>>> * DNSSEC Workshop
> >>>> * DNSSEC for Everybody: A Beginner's Guide
> >>>>
> >>>> there are also also DNSSec session during conferences like African
> >>>> Internet Summit
> (https://internetsummitafrica.org/programme/agenda),
> >>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN
> DNS forum
> >>>> . my understanding is that ICANN tech team helped some ccTLD
> >>>> operators http://dnssec-africa.org/
> >>>>
> >>>> I don't think there are specific activities toward registrars
> per se.
> >>>>
> >>>> Best,
> >>>>
> >>>> Rafik
> >>>>
> >>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever
> <[log in to unmask] <mailto:[log in to unmask]>
> >>>> <mailto:[log in to unmask]
> <mailto:[log in to unmask]>>>:
> >>>>
> >>>> Hi James,
> >>>>
> >>>> On 05/26/2016 12:12 PM, James Gannon wrote:
> >>>> > No sorry what are the specific issues, i.e. In
> understanding the KSK
> >>>> > and ZSK keys, in documentation etc? Do DNS engineers at
> hosting
> >>>> > companies really not understand it?
> >>>> >
> >>>> > Because there is a large amount of documentation out
> there for
> >>>> > example on configuring DNSSEC in Bind and while yes
> deploying at
> >>>> > scale is a risk that registrars would need to analysise
> and take an
> >>>> > internal risk position on Im not sure I understand the
> ‘even the most
> >>>> > experienced engineers don’t understand it’ part of the
> question.
> >>>> >
> >>>> > The rest I do for sure, adoption of DNSSEC is a big
> topic, but there
> >>>> > is huge amount son work going on in both ICANN and ISOC
> supporting
> >>>> > registrars who wish to move down that path in a stable
> and secure
> >>>> > path. ISOC has documentation specifically targeting at
> registrars
> >>>> >
> http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
> >>>> > I know the RrSG has done some work for ones that are
> involved in
> >>>> > that, there is also Deplay360 from ISOC
> >>>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
> >>>> > community support behind it from a technical perspective
> for those
> >>>> > interested.
> >>>> >
> >>>>
> >>>> Have been clicking through the ISOC site, but I cannot find
> a proper
> >>>> how-to or documentation for an indepdendent registrar anywhere.
> >>>>
> >>>> I think we should push harder for DNSSEC adoption, and
> ICANN can and
> >>>> should play a role in this imho, why would it be more of an
> ISOC task
> >>>> than a ICANN task?
> >>>>
> >>>>
> >>>> > My question would be what is the thing that needs to be
> done to
> >>>> > promote adoption, and from what I have seen so far its
> usually risk
> >>>> > aversion on the business side, and that’s not something
> that we can
> >>>> > do much about from the ICANN side of things, something I
> feel ISOC
> >>>> > should focus on more tho.
> >>>>
> >>>> Business aversion is also because it's hard, and thus will
> cost more
> >>>> time. Also: more risk because it might break. This does not
> balance well
> >>>> with the increased trust gained with DNSSEC. We can help
> tip this scale
> >>>> by making implementation easier through good documentation,
> no? Looks
> >>>> like an ICANN task par excellence to me!
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Niels
> >>>>
> >>>>
> >>>> >
> >>>> > -J
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> > On 26/05/2016, 11:03, "Niels ten Oever"
> >>>> <[log in to unmask]
> <mailto:[log in to unmask]>
> <mailto:[log in to unmask]
> <mailto:[log in to unmask]>>>
> >>>> > wrote:
> >>>> >
> >>>> >> Do you mean you would like to hear names of registrars
> that are
> >>>> >> not offering DNSSEC ? Am afraid it is the majority of
> the SME
> >>>> >> registrars / hosting providers.
> >>>> >>
> >>>> >> Cheers,
> >>>> >>
> >>>> >> Niels
> >>>> >>
> >>>> >> On 05/26/2016 11:57 AM, James Gannon wrote:
> >>>> >>> Have you got any specific examples?
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels
> ten Oever"
> >>>> >>> <[log in to unmask]
> <mailto:[log in to unmask]>
> >>>> <mailto:[log in to unmask]
> <mailto:[log in to unmask]>> on behalf of
> >>>> >>> [log in to unmask]
> <mailto:[log in to unmask]>
> >>>> <mailto:[log in to unmask]
> <mailto:[log in to unmask]>>> wrote:
> >>>> >>>
> >>>> >>>> Hi all,
> >>>> >>>>
> >>>> >>>> I have been talking to several registrars (especially
> smaller
> >>>> >>>> ones that provide a lot of support to NGOs), that do not
> >>>> >>>> provide DNSSEC yet as part of their service.
> >>>> >>>>
> >>>> >>>> The story that I keep on hearing is that even the most
> >>>> >>>> experienced engineers have issues with understanding the
> >>>> >>>> configuration of the KSK and Zone signing keys and the key
> >>>> >>>> rollover, inconsistencies in documentation and
> therefore lack
> >>>> >>>> of adoption, because in case of a mistake this might
> seriously
> >>>> >>>> impact the production environment.
> >>>> >>>>
> >>>> >>>> I think the adoption of DNSSEC is an issue we should
> care about
> >>>> >>>> because it has the potential to radically increase
> trust in the
> >>>> >>>> DNS system.
> >>>> >>>>
> >>>> >>>> Is this an issue you all recognize, and do you know
> how / if
> >>>> >>>> ICANN makes (or can make) this easier?
> >>>> >>>>
> >>>> >>>> Best,
> >>>> >>>>
> >>>> >>>> Niels
> >>>> >>>>
> >>>> >>>>
> >>>> >>>> -- Niels ten Oever Head of Digital
> >>>> >>>>
> >>>> >>>> Article 19 www.article19.org
> <http://www.article19.org> <http://www.article19.org>
> >>>> >>>>
> >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5
> A0F2 636D
> >>>> >>>> 68E9
> >>>> >>>>
> >>>> >>
> >>>> >> -- Niels ten Oever Head of Digital
> >>>> >>
> >>>> >> Article 19 www.article19.org <http://www.article19.org>
> <http://www.article19.org>
> >>>> >>
> >>>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5
> A0F2 636D
> >>>> >> 68E9
> >>>>
> >>>> --
> >>>> Niels ten Oever
> >>>> Head of Digital
> >>>>
> >>>> Article 19
> >>>> www.article19.org <http://www.article19.org>
> <http://www.article19.org>
> >>>>
> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
> >>>> 678B 08B5 A0F2 636D 68E9
> >>>>
> >>>>
> >>>
> >>> --
> >>> Niels ten Oever
> >>> Head of Digital
> >>>
> >>> Article 19
> >>> www.article19.org <http://www.article19.org>
> >>>
> >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
> >>> 678B 08B5 A0F2 636D 68E9
> >
> >--
> >Niels ten Oever
> >Head of Digital
> >
> >Article 19
> >www.article19.org <http://www.article19.org>
> >
> >PGP fingerprint 8D9F C567 BEE4 A431 56C4
> > 678B 08B5 A0F2 636D 68E9
>
>
>
>
> --
> Farzaneh
--
Niels ten Oever
Head of Digital
Article 19
www.article19.org
PGP fingerprint 8D9F C567 BEE4 A431 56C4
678B 08B5 A0F2 636D 68E9
|