NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: DNSSEC key rollover issues
From:
Niels ten Oever <[log in to unmask]>
Reply To:
Niels ten Oever <[log in to unmask]>
Date:
Fri, 27 May 2016 14:55:19 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (214 lines) 
Perhaps we can reach out to Michele and see where this is on their
agenda? Shall I do so? Do other people share this concern?

Cheers,

Niels

On 05/27/2016 02:38 PM, James Gannon wrote:
> Agreed, so do I see you volunteering to lead this effort? =)
> Happy to assist/help out where I can!
> 
> -JG
> 
> 
> 
> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:
> 
>> Hi Rafik,
>>
>> The DNSSEC for Everybody is great and fun, but it's more a very rough
>> 101. The DNSSEC workshop is also great, but it doesn't help you when you
>> are behind a production terminal. Good documentation is needed. Or we
>> need to find out better why adoption levels are so low.
>>
>> Is this something we can bring up?
>>
>> I think this is especially an issue for the NCSG because NGO's,
>> activists and individual users will greatly benefit from increased
>> trust, and more protection against DNS poisoining. With the enormous
>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5
>> million domains) DNSSEC is the next logical step, and adoption is still
>> _very_ low.
>>
>> Cheers,
>>
>> Niels
>>
>>
>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:
>>> Hi Niels,
>>>
>>> ICANN organizes regularly for many years now in each ICANN meeting 2
>>> DNSSec sessions related:
>>>
>>>   * DNSSEC Workshop
>>>   * DNSSEC for Everybody: A Beginner's Guide 
>>>
>>> there are also also DNSSec session during conferences like African
>>> Internet Summit (https://internetsummitafrica.org/programme/agenda),
>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum
>>> . my understanding is that ICANN tech team helped some ccTLD
>>> operators http://dnssec-africa.org/ 
>>>
>>> I don't think there are specific activities toward registrars per se.
>>>
>>> Best,
>>>
>>> Rafik
>>>
>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]
>>> <mailto:[log in to unmask]>>:
>>>
>>>     Hi James,
>>>
>>>     On 05/26/2016 12:12 PM, James Gannon wrote:
>>>     > No sorry what are the specific issues, i.e. In understanding the KSK
>>>     > and ZSK keys, in documentation etc? Do DNS engineers at hosting
>>>     > companies really not understand it?
>>>     >
>>>     > Because there is a large amount of documentation out there for
>>>     > example on configuring DNSSEC in Bind and while yes deploying at
>>>     > scale is a risk that registrars would need to analysise and take an
>>>     > internal risk position on Im not sure I understand the ‘even the most
>>>     > experienced engineers don’t understand it’ part of the question.
>>>     >
>>>     > The rest I do for sure, adoption of DNSSEC is a big topic, but there
>>>     > is huge amount son work going on in both ICANN and ISOC supporting
>>>     > registrars who wish to move down that path in a stable and secure
>>>     > path. ISOC has documentation specifically targeting at registrars
>>>     > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
>>>     > I know the RrSG has done some work for ones that are involved in
>>>     > that, there is also Deplay360 from ISOC
>>>     > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
>>>     > community support behind it from a technical perspective for those
>>>     > interested.
>>>     >
>>>
>>>     Have been clicking through the ISOC site, but I cannot find a proper
>>>     how-to or documentation for an indepdendent registrar anywhere.
>>>
>>>     I think we should push harder for DNSSEC adoption, and ICANN can and
>>>     should play a role in this imho, why would it be more of an ISOC task
>>>     than a ICANN task?
>>>
>>>
>>>     > My question would be what is the thing that needs to be done to
>>>     > promote adoption, and from what I have seen so far its usually risk
>>>     > aversion on the business side, and that’s not something that we can
>>>     > do much about from the ICANN side of things, something I feel ISOC
>>>     > should focus on more tho.
>>>
>>>     Business aversion is also because it's hard, and thus will cost more
>>>     time. Also: more risk because it might break. This does not balance well
>>>     with the increased trust gained with DNSSEC. We can help tip this scale
>>>     by making implementation easier through good documentation, no? Looks
>>>     like an ICANN task par excellence to me!
>>>
>>>     Cheers,
>>>
>>>     Niels
>>>
>>>
>>>     >
>>>     > -J
>>>     >
>>>     >
>>>     >
>>>     >
>>>     > On 26/05/2016, 11:03, "Niels ten Oever"
>>>     <[log in to unmask] <mailto:[log in to unmask]>>
>>>     > wrote:
>>>     >
>>>     >> Do you mean you would like to hear names of registrars that are
>>>     >> not offering DNSSEC ? Am afraid it is the majority of the SME
>>>     >> registrars / hosting providers.
>>>     >>
>>>     >> Cheers,
>>>     >>
>>>     >> Niels
>>>     >>
>>>     >> On 05/26/2016 11:57 AM, James Gannon wrote:
>>>     >>> Have you got any specific examples?
>>>     >>>
>>>     >>>
>>>     >>>
>>>     >>>
>>>     >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
>>>     >>> <[log in to unmask]
>>>     <mailto:[log in to unmask]> on behalf of
>>>     >>> [log in to unmask]
>>>     <mailto:[log in to unmask]>> wrote:
>>>     >>>
>>>     >>>> Hi all,
>>>     >>>>
>>>     >>>> I have been talking to several registrars (especially smaller
>>>     >>>> ones that provide a lot of support to NGOs), that do not
>>>     >>>> provide DNSSEC yet as part of their service.
>>>     >>>>
>>>     >>>> The story that I keep on hearing is that even the most
>>>     >>>> experienced engineers have issues with understanding the
>>>     >>>> configuration of the KSK and Zone signing keys and the key
>>>     >>>> rollover, inconsistencies in documentation and therefore lack
>>>     >>>> of adoption, because in case of a mistake this might seriously
>>>     >>>> impact the production environment.
>>>     >>>>
>>>     >>>> I think the adoption of DNSSEC is an issue we should care about
>>>     >>>> because it has the potential to radically increase trust in the
>>>     >>>> DNS system.
>>>     >>>>
>>>     >>>> Is this an issue you all recognize, and do you know how / if
>>>     >>>> ICANN makes (or can make) this easier?
>>>     >>>>
>>>     >>>> Best,
>>>     >>>>
>>>     >>>> Niels
>>>     >>>>
>>>     >>>>
>>>     >>>> -- Niels ten Oever Head of Digital
>>>     >>>>
>>>     >>>> Article 19 www.article19.org <http://www.article19.org>
>>>     >>>>
>>>     >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>>     >>>> 68E9
>>>     >>>>
>>>     >>
>>>     >> -- Niels ten Oever Head of Digital
>>>     >>
>>>     >> Article 19 www.article19.org <http://www.article19.org>
>>>     >>
>>>     >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>>     >> 68E9
>>>
>>>     --
>>>     Niels ten Oever
>>>     Head of Digital
>>>
>>>     Article 19
>>>     www.article19.org <http://www.article19.org>
>>>
>>>     PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>>                        678B 08B5 A0F2 636D 68E9
>>>
>>>
>>
>> -- 
>> Niels ten Oever
>> Head of Digital
>>
>> Article 19
>> www.article19.org
>>
>> PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>                   678B 08B5 A0F2 636D 68E9

-- 
Niels ten Oever
Head of Digital

Article 19
www.article19.org

PGP fingerprint    8D9F C567 BEE4 A431 56C4
                   678B 08B5 A0F2 636D 68E9

ATOM RSS1 RSS2