NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: DNSSEC key rollover issues
From:
James Gannon <[log in to unmask]>
Reply To:
James Gannon <[log in to unmask]>
Date:
Fri, 27 May 2016 12:38:54 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines) 
Agreed, so do I see you volunteering to lead this effort? =)

Happy to assist/help out where I can!



-JG







On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:



>Hi Rafik,

>

>The DNSSEC for Everybody is great and fun, but it's more a very rough

>101. The DNSSEC workshop is also great, but it doesn't help you when you

>are behind a production terminal. Good documentation is needed. Or we

>need to find out better why adoption levels are so low.

>

>Is this something we can bring up?

>

>I think this is especially an issue for the NCSG because NGO's,

>activists and individual users will greatly benefit from increased

>trust, and more protection against DNS poisoining. With the enormous

>success of Let's Encrypt (1 milltion certs distributed, covering >2.5

>million domains) DNSSEC is the next logical step, and adoption is still

>_very_ low.

>

>Cheers,

>

>Niels

>

>

>On 05/27/2016 01:34 PM, Rafik Dammak wrote:

>> Hi Niels,

>> 

>> ICANN organizes regularly for many years now in each ICANN meeting 2

>> DNSSec sessions related:

>> 

>>   * DNSSEC Workshop

>>   * DNSSEC for Everybody: A Beginner's Guide 

>> 

>> there are also also DNSSec session during conferences like African

>> Internet Summit (https://internetsummitafrica.org/programme/agenda),

>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum

>> . my understanding is that ICANN tech team helped some ccTLD

>> operators http://dnssec-africa.org/ 

>> 

>> I don't think there are specific activities toward registrars per se.

>> 

>> Best,

>> 

>> Rafik

>> 

>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]

>> <mailto:[log in to unmask]>>:

>> 

>>     Hi James,

>> 

>>     On 05/26/2016 12:12 PM, James Gannon wrote:

>>     > No sorry what are the specific issues, i.e. In understanding the KSK

>>     > and ZSK keys, in documentation etc? Do DNS engineers at hosting

>>     > companies really not understand it?

>>     >

>>     > Because there is a large amount of documentation out there for

>>     > example on configuring DNSSEC in Bind and while yes deploying at

>>     > scale is a risk that registrars would need to analysise and take an

>>     > internal risk position on Im not sure I understand the ‘even the most

>>     > experienced engineers don’t understand it’ part of the question.

>>     >

>>     > The rest I do for sure, adoption of DNSSEC is a big topic, but there

>>     > is huge amount son work going on in both ICANN and ISOC supporting

>>     > registrars who wish to move down that path in a stable and secure

>>     > path. ISOC has documentation specifically targeting at registrars

>>     > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/

>>     > I know the RrSG has done some work for ones that are involved in

>>     > that, there is also Deplay360 from ISOC

>>     > http://www.internetsociety.org/deploy360/dnssec/ and a lot of

>>     > community support behind it from a technical perspective for those

>>     > interested.

>>     >

>> 

>>     Have been clicking through the ISOC site, but I cannot find a proper

>>     how-to or documentation for an indepdendent registrar anywhere.

>> 

>>     I think we should push harder for DNSSEC adoption, and ICANN can and

>>     should play a role in this imho, why would it be more of an ISOC task

>>     than a ICANN task?

>> 

>> 

>>     > My question would be what is the thing that needs to be done to

>>     > promote adoption, and from what I have seen so far its usually risk

>>     > aversion on the business side, and that’s not something that we can

>>     > do much about from the ICANN side of things, something I feel ISOC

>>     > should focus on more tho.

>> 

>>     Business aversion is also because it's hard, and thus will cost more

>>     time. Also: more risk because it might break. This does not balance well

>>     with the increased trust gained with DNSSEC. We can help tip this scale

>>     by making implementation easier through good documentation, no? Looks

>>     like an ICANN task par excellence to me!

>> 

>>     Cheers,

>> 

>>     Niels

>> 

>> 

>>     >

>>     > -J

>>     >

>>     >

>>     >

>>     >

>>     > On 26/05/2016, 11:03, "Niels ten Oever"

>>     <[log in to unmask] <mailto:[log in to unmask]>>

>>     > wrote:

>>     >

>>     >> Do you mean you would like to hear names of registrars that are

>>     >> not offering DNSSEC ? Am afraid it is the majority of the SME

>>     >> registrars / hosting providers.

>>     >>

>>     >> Cheers,

>>     >>

>>     >> Niels

>>     >>

>>     >> On 05/26/2016 11:57 AM, James Gannon wrote:

>>     >>> Have you got any specific examples?

>>     >>>

>>     >>>

>>     >>>

>>     >>>

>>     >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"

>>     >>> <[log in to unmask]

>>     <mailto:[log in to unmask]> on behalf of

>>     >>> [log in to unmask]

>>     <mailto:[log in to unmask]>> wrote:

>>     >>>

>>     >>>> Hi all,

>>     >>>>

>>     >>>> I have been talking to several registrars (especially smaller

>>     >>>> ones that provide a lot of support to NGOs), that do not

>>     >>>> provide DNSSEC yet as part of their service.

>>     >>>>

>>     >>>> The story that I keep on hearing is that even the most

>>     >>>> experienced engineers have issues with understanding the

>>     >>>> configuration of the KSK and Zone signing keys and the key

>>     >>>> rollover, inconsistencies in documentation and therefore lack

>>     >>>> of adoption, because in case of a mistake this might seriously

>>     >>>> impact the production environment.

>>     >>>>

>>     >>>> I think the adoption of DNSSEC is an issue we should care about

>>     >>>> because it has the potential to radically increase trust in the

>>     >>>> DNS system.

>>     >>>>

>>     >>>> Is this an issue you all recognize, and do you know how / if

>>     >>>> ICANN makes (or can make) this easier?

>>     >>>>

>>     >>>> Best,

>>     >>>>

>>     >>>> Niels

>>     >>>>

>>     >>>>

>>     >>>> -- Niels ten Oever Head of Digital

>>     >>>>

>>     >>>> Article 19 www.article19.org <http://www.article19.org>

>>     >>>>

>>     >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D

>>     >>>> 68E9

>>     >>>>

>>     >>

>>     >> -- Niels ten Oever Head of Digital

>>     >>

>>     >> Article 19 www.article19.org <http://www.article19.org>

>>     >>

>>     >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D

>>     >> 68E9

>> 

>>     --

>>     Niels ten Oever

>>     Head of Digital

>> 

>>     Article 19

>>     www.article19.org <http://www.article19.org>

>> 

>>     PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>                        678B 08B5 A0F2 636D 68E9

>> 

>> 

>

>-- 

>Niels ten Oever

>Head of Digital

>

>Article 19

>www.article19.org

>

>PGP fingerprint    8D9F C567 BEE4 A431 56C4

>                   678B 08B5 A0F2 636D 68E9

ATOM RSS1 RSS2