NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: DNSSEC key rollover issues
From:
James Gannon <[log in to unmask]>
Reply To:
James Gannon <[log in to unmask]>
Date:
Thu, 26 May 2016 10:12:14 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines) 
No sorry what are the specific issues, i.e. In understanding the KSK and ZSK keys, in documentation etc? Do DNS engineers at hosting companies really not understand it?



Because there is a large amount of documentation out there for example on configuring DNSSEC in Bind and while yes deploying at scale is a risk that registrars would need to analysise and take an internal risk position on Im not sure I understand the ‘even the most experienced engineers don’t understand it’ part of the question.



The rest I do for sure, adoption of DNSSEC is a big topic, but there is huge amount son work going on in both ICANN and ISOC supporting registrars who wish to move down that path in a stable and secure path. ISOC has documentation specifically targeting at registrars http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ I know the RrSG has done some work for ones that are involved in that, there is also Deplay360 from ISOC http://www.internetsociety.org/deploy360/dnssec/ and a lot of community support behind it from a technical perspective for those interested. 



My question would be what is the thing that needs to be done to promote adoption, and from what I have seen so far its usually risk aversion on the business side, and that’s not something that we can do much about from the ICANN side of things, something I feel ISOC should focus on more tho.



-J









On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> wrote:



>Do you mean you would like to hear names of registrars that are not

>offering DNSSEC ? Am afraid it is the majority of the SME registrars /

>hosting providers.

>

>Cheers,

>

>Niels

>

>On 05/26/2016 11:57 AM, James Gannon wrote:

>> Have you got any specific examples?

>> 

>> 

>> 

>> 

>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:

>> 

>>> Hi all,

>>>

>>> I have been talking to several registrars (especially smaller ones that

>>> provide a lot of support to NGOs), that do not provide DNSSEC yet as

>>> part of their service.

>>>

>>> The story that I keep on hearing is that even the most experienced

>>> engineers have issues with understanding the configuration of the KSK

>>> and Zone signing keys and the key rollover, inconsistencies in

>>> documentation and therefore lack of adoption, because in case of a

>>> mistake this might seriously impact the production environment.

>>>

>>> I think the adoption of DNSSEC is an issue we should care about because

>>> it has the potential to radically increase trust in the DNS system.

>>>

>>> Is this an issue you all recognize, and do you know how / if ICANN makes

>>> (or can make) this easier?

>>>

>>> Best,

>>>

>>> Niels

>>>

>>>

>>> -- 

>>> Niels ten Oever

>>> Head of Digital

>>>

>>> Article 19

>>> www.article19.org

>>>

>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>>                   678B 08B5 A0F2 636D 68E9

>>>

>

>-- 

>Niels ten Oever

>Head of Digital

>

>Article 19

>www.article19.org

>

>PGP fingerprint    8D9F C567 BEE4 A431 56C4

>                   678B 08B5 A0F2 636D 68E9

ATOM RSS1 RSS2