Agreed, so do I see you volunteering to lead this effort? =)
Happy to assist/help out where I can!
-JG
On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>Hi Rafik,
>
>The DNSSEC for Everybody is great and fun, but it's more a very rough
>101. The DNSSEC workshop is also great, but it doesn't help you when you
>are behind a production terminal. Good documentation is needed. Or we
>need to find out better why adoption levels are so low.
>
>Is this something we can bring up?
>
>I think this is especially an issue for the NCSG because NGO's,
>activists and individual users will greatly benefit from increased
>trust, and more protection against DNS poisoining. With the enormous
>success of Let's Encrypt (1 milltion certs distributed, covering >2.5
>million domains) DNSSEC is the next logical step, and adoption is still
>_very_ low.
>
>Cheers,
>
>Niels
>
>
>On 05/27/2016 01:34 PM, Rafik Dammak wrote:
>> Hi Niels,
>>
>> ICANN organizes regularly for many years now in each ICANN meeting 2
>> DNSSec sessions related:
>>
>> * DNSSEC Workshop
>> * DNSSEC for Everybody: A Beginner's Guide
>>
>> there are also also DNSSec session during conferences like African
>> Internet Summit (https://internetsummitafrica.org/programme/agenda),
>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum
>> . my understanding is that ICANN tech team helped some ccTLD
>> operators http://dnssec-africa.org/
>>
>> I don't think there are specific activities toward registrars per se.
>>
>> Best,
>>
>> Rafik
>>
>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]
>> <mailto:[log in to unmask]>>:
>>
>> Hi James,
>>
>> On 05/26/2016 12:12 PM, James Gannon wrote:
>> > No sorry what are the specific issues, i.e. In understanding the KSK
>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting
>> > companies really not understand it?
>> >
>> > Because there is a large amount of documentation out there for
>> > example on configuring DNSSEC in Bind and while yes deploying at
>> > scale is a risk that registrars would need to analysise and take an
>> > internal risk position on Im not sure I understand the ‘even the most
>> > experienced engineers don’t understand it’ part of the question.
>> >
>> > The rest I do for sure, adoption of DNSSEC is a big topic, but there
>> > is huge amount son work going on in both ICANN and ISOC supporting
>> > registrars who wish to move down that path in a stable and secure
>> > path. ISOC has documentation specifically targeting at registrars
>> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
>> > I know the RrSG has done some work for ones that are involved in
>> > that, there is also Deplay360 from ISOC
>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
>> > community support behind it from a technical perspective for those
>> > interested.
>> >
>>
>> Have been clicking through the ISOC site, but I cannot find a proper
>> how-to or documentation for an indepdendent registrar anywhere.
>>
>> I think we should push harder for DNSSEC adoption, and ICANN can and
>> should play a role in this imho, why would it be more of an ISOC task
>> than a ICANN task?
>>
>>
>> > My question would be what is the thing that needs to be done to
>> > promote adoption, and from what I have seen so far its usually risk
>> > aversion on the business side, and that’s not something that we can
>> > do much about from the ICANN side of things, something I feel ISOC
>> > should focus on more tho.
>>
>> Business aversion is also because it's hard, and thus will cost more
>> time. Also: more risk because it might break. This does not balance well
>> with the increased trust gained with DNSSEC. We can help tip this scale
>> by making implementation easier through good documentation, no? Looks
>> like an ICANN task par excellence to me!
>>
>> Cheers,
>>
>> Niels
>>
>>
>> >
>> > -J
>> >
>> >
>> >
>> >
>> > On 26/05/2016, 11:03, "Niels ten Oever"
>> <[log in to unmask] <mailto:[log in to unmask]>>
>> > wrote:
>> >
>> >> Do you mean you would like to hear names of registrars that are
>> >> not offering DNSSEC ? Am afraid it is the majority of the SME
>> >> registrars / hosting providers.
>> >>
>> >> Cheers,
>> >>
>> >> Niels
>> >>
>> >> On 05/26/2016 11:57 AM, James Gannon wrote:
>> >>> Have you got any specific examples?
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
>> >>> <[log in to unmask]
>> <mailto:[log in to unmask]> on behalf of
>> >>> [log in to unmask]
>> <mailto:[log in to unmask]>> wrote:
>> >>>
>> >>>> Hi all,
>> >>>>
>> >>>> I have been talking to several registrars (especially smaller
>> >>>> ones that provide a lot of support to NGOs), that do not
>> >>>> provide DNSSEC yet as part of their service.
>> >>>>
>> >>>> The story that I keep on hearing is that even the most
>> >>>> experienced engineers have issues with understanding the
>> >>>> configuration of the KSK and Zone signing keys and the key
>> >>>> rollover, inconsistencies in documentation and therefore lack
>> >>>> of adoption, because in case of a mistake this might seriously
>> >>>> impact the production environment.
>> >>>>
>> >>>> I think the adoption of DNSSEC is an issue we should care about
>> >>>> because it has the potential to radically increase trust in the
>> >>>> DNS system.
>> >>>>
>> >>>> Is this an issue you all recognize, and do you know how / if
>> >>>> ICANN makes (or can make) this easier?
>> >>>>
>> >>>> Best,
>> >>>>
>> >>>> Niels
>> >>>>
>> >>>>
>> >>>> -- Niels ten Oever Head of Digital
>> >>>>
>> >>>> Article 19 www.article19.org <http://www.article19.org>
>> >>>>
>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>> >>>> 68E9
>> >>>>
>> >>
>> >> -- Niels ten Oever Head of Digital
>> >>
>> >> Article 19 www.article19.org <http://www.article19.org>
>> >>
>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>> >> 68E9
>>
>> --
>> Niels ten Oever
>> Head of Digital
>>
>> Article 19
>> www.article19.org <http://www.article19.org>
>>
>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
>> 678B 08B5 A0F2 636D 68E9
>>
>>
>
>--
>Niels ten Oever
>Head of Digital
>
>Article 19
>www.article19.org
>
>PGP fingerprint 8D9F C567 BEE4 A431 56C4
> 678B 08B5 A0F2 636D 68E9
|