NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU

Options: Use Classic View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Topic: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Niels ten Oever <[log in to unmask]>
Fri, 27 May 2016 13:46:49 +0200
text/plain (187 lines)
Hi Rafik,

The DNSSEC for Everybody is great and fun, but it's more a very rough
101. The DNSSEC workshop is also great, but it doesn't help you when you
are behind a production terminal. Good documentation is needed. Or we
need to find out better why adoption levels are so low.

Is this something we can bring up?

I think this is especially an issue for the NCSG because NGO's,
activists and individual users will greatly benefit from increased
trust, and more protection against DNS poisoining. With the enormous
success of Let's Encrypt (1 milltion certs distributed, covering >2.5
million domains) DNSSEC is the next logical step, and adoption is still
_very_ low.

Cheers,

Niels


On 05/27/2016 01:34 PM, Rafik Dammak wrote:
> Hi Niels,
> 
> ICANN organizes regularly for many years now in each ICANN meeting 2
> DNSSec sessions related:
> 
>   * DNSSEC Workshop
>   * DNSSEC for Everybody: A Beginner's Guide 
> 
> there are also also DNSSec session during conferences like African
> Internet Summit (https://internetsummitafrica.org/programme/agenda),
> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum
> . my understanding is that ICANN tech team helped some ccTLD
> operators http://dnssec-africa.org/ 
> 
> I don't think there are specific activities toward registrars per se.
> 
> Best,
> 
> Rafik
> 
> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]
> <mailto:[log in to unmask]>>:
> 
>     Hi James,
> 
>     On 05/26/2016 12:12 PM, James Gannon wrote:
>     > No sorry what are the specific issues, i.e. In understanding the KSK
>     > and ZSK keys, in documentation etc? Do DNS engineers at hosting
>     > companies really not understand it?
>     >
>     > Because there is a large amount of documentation out there for
>     > example on configuring DNSSEC in Bind and while yes deploying at
>     > scale is a risk that registrars would need to analysise and take an
>     > internal risk position on Im not sure I understand the ‘even the most
>     > experienced engineers don’t understand it’ part of the question.
>     >
>     > The rest I do for sure, adoption of DNSSEC is a big topic, but there
>     > is huge amount son work going on in both ICANN and ISOC supporting
>     > registrars who wish to move down that path in a stable and secure
>     > path. ISOC has documentation specifically targeting at registrars
>     > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
>     > I know the RrSG has done some work for ones that are involved in
>     > that, there is also Deplay360 from ISOC
>     > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
>     > community support behind it from a technical perspective for those
>     > interested.
>     >
> 
>     Have been clicking through the ISOC site, but I cannot find a proper
>     how-to or documentation for an indepdendent registrar anywhere.
> 
>     I think we should push harder for DNSSEC adoption, and ICANN can and
>     should play a role in this imho, why would it be more of an ISOC task
>     than a ICANN task?
> 
> 
>     > My question would be what is the thing that needs to be done to
>     > promote adoption, and from what I have seen so far its usually risk
>     > aversion on the business side, and that’s not something that we can
>     > do much about from the ICANN side of things, something I feel ISOC
>     > should focus on more tho.
> 
>     Business aversion is also because it's hard, and thus will cost more
>     time. Also: more risk because it might break. This does not balance well
>     with the increased trust gained with DNSSEC. We can help tip this scale
>     by making implementation easier through good documentation, no? Looks
>     like an ICANN task par excellence to me!
> 
>     Cheers,
> 
>     Niels
> 
> 
>     >
>     > -J
>     >
>     >
>     >
>     >
>     > On 26/05/2016, 11:03, "Niels ten Oever"
>     <[log in to unmask] <mailto:[log in to unmask]>>
>     > wrote:
>     >
>     >> Do you mean you would like to hear names of registrars that are
>     >> not offering DNSSEC ? Am afraid it is the majority of the SME
>     >> registrars / hosting providers.
>     >>
>     >> Cheers,
>     >>
>     >> Niels
>     >>
>     >> On 05/26/2016 11:57 AM, James Gannon wrote:
>     >>> Have you got any specific examples?
>     >>>
>     >>>
>     >>>
>     >>>
>     >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
>     >>> <[log in to unmask]
>     <mailto:[log in to unmask]> on behalf of
>     >>> [log in to unmask]
>     <mailto:[log in to unmask]>> wrote:
>     >>>
>     >>>> Hi all,
>     >>>>
>     >>>> I have been talking to several registrars (especially smaller
>     >>>> ones that provide a lot of support to NGOs), that do not
>     >>>> provide DNSSEC yet as part of their service.
>     >>>>
>     >>>> The story that I keep on hearing is that even the most
>     >>>> experienced engineers have issues with understanding the
>     >>>> configuration of the KSK and Zone signing keys and the key
>     >>>> rollover, inconsistencies in documentation and therefore lack
>     >>>> of adoption, because in case of a mistake this might seriously
>     >>>> impact the production environment.
>     >>>>
>     >>>> I think the adoption of DNSSEC is an issue we should care about
>     >>>> because it has the potential to radically increase trust in the
>     >>>> DNS system.
>     >>>>
>     >>>> Is this an issue you all recognize, and do you know how / if
>     >>>> ICANN makes (or can make) this easier?
>     >>>>
>     >>>> Best,
>     >>>>
>     >>>> Niels
>     >>>>
>     >>>>
>     >>>> -- Niels ten Oever Head of Digital
>     >>>>
>     >>>> Article 19 www.article19.org <http://www.article19.org>
>     >>>>
>     >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>     >>>> 68E9
>     >>>>
>     >>
>     >> -- Niels ten Oever Head of Digital
>     >>
>     >> Article 19 www.article19.org <http://www.article19.org>
>     >>
>     >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>     >> 68E9
> 
>     --
>     Niels ten Oever
>     Head of Digital
> 
>     Article 19
>     www.article19.org <http://www.article19.org>
> 
>     PGP fingerprint    8D9F C567 BEE4 A431 56C4
>                        678B 08B5 A0F2 636D 68E9
> 
> 

-- 
Niels ten Oever
Head of Digital

Article 19
www.article19.org

PGP fingerprint    8D9F C567 BEE4 A431 56C4
                   678B 08B5 A0F2 636D 68E9

ATOM RSS1 RSS2