We can invite Patrik Falstrom and have a training session.
On 27 May 2016 at 14:56, James Gannon <[log in to unmask]> wrote:
> I like that idea. Lets try and gather some info before Helsinki and see if
> this is something we need to put time into and where our time is best spent.
>
> -jg
>
>
>
>
> On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]>
> wrote:
>
> >Perhaps we can reach out to Michele and see where this is on their
> >agenda? Shall I do so? Do other people share this concern?
> >
> >Cheers,
> >
> >Niels
> >
> >On 05/27/2016 02:38 PM, James Gannon wrote:
> >> Agreed, so do I see you volunteering to lead this effort? =)
> >> Happy to assist/help out where I can!
> >>
> >> -JG
> >>
> >>
> >>
> >> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <
> [log in to unmask] on behalf of [log in to unmask]>
> wrote:
> >>
> >>> Hi Rafik,
> >>>
> >>> The DNSSEC for Everybody is great and fun, but it's more a very rough
> >>> 101. The DNSSEC workshop is also great, but it doesn't help you when
> you
> >>> are behind a production terminal. Good documentation is needed. Or we
> >>> need to find out better why adoption levels are so low.
> >>>
> >>> Is this something we can bring up?
> >>>
> >>> I think this is especially an issue for the NCSG because NGO's,
> >>> activists and individual users will greatly benefit from increased
> >>> trust, and more protection against DNS poisoining. With the enormous
> >>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5
> >>> million domains) DNSSEC is the next logical step, and adoption is still
> >>> _very_ low.
> >>>
> >>> Cheers,
> >>>
> >>> Niels
> >>>
> >>>
> >>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:
> >>>> Hi Niels,
> >>>>
> >>>> ICANN organizes regularly for many years now in each ICANN meeting 2
> >>>> DNSSec sessions related:
> >>>>
> >>>> * DNSSEC Workshop
> >>>> * DNSSEC for Everybody: A Beginner's Guide
> >>>>
> >>>> there are also also DNSSec session during conferences like African
> >>>> Internet Summit (https://internetsummitafrica.org/programme/agenda),
> >>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS
> forum
> >>>> . my understanding is that ICANN tech team helped some ccTLD
> >>>> operators http://dnssec-africa.org/
> >>>>
> >>>> I don't think there are specific activities toward registrars per se.
> >>>>
> >>>> Best,
> >>>>
> >>>> Rafik
> >>>>
> >>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <
> [log in to unmask]
> >>>> <mailto:[log in to unmask]>>:
> >>>>
> >>>> Hi James,
> >>>>
> >>>> On 05/26/2016 12:12 PM, James Gannon wrote:
> >>>> > No sorry what are the specific issues, i.e. In understanding
> the KSK
> >>>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting
> >>>> > companies really not understand it?
> >>>> >
> >>>> > Because there is a large amount of documentation out there for
> >>>> > example on configuring DNSSEC in Bind and while yes deploying at
> >>>> > scale is a risk that registrars would need to analysise and
> take an
> >>>> > internal risk position on Im not sure I understand the ‘even
> the most
> >>>> > experienced engineers don’t understand it’ part of the question.
> >>>> >
> >>>> > The rest I do for sure, adoption of DNSSEC is a big topic, but
> there
> >>>> > is huge amount son work going on in both ICANN and ISOC
> supporting
> >>>> > registrars who wish to move down that path in a stable and
> secure
> >>>> > path. ISOC has documentation specifically targeting at
> registrars
> >>>> >
> http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
> >>>> > I know the RrSG has done some work for ones that are involved in
> >>>> > that, there is also Deplay360 from ISOC
> >>>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
> >>>> > community support behind it from a technical perspective for
> those
> >>>> > interested.
> >>>> >
> >>>>
> >>>> Have been clicking through the ISOC site, but I cannot find a
> proper
> >>>> how-to or documentation for an indepdendent registrar anywhere.
> >>>>
> >>>> I think we should push harder for DNSSEC adoption, and ICANN can
> and
> >>>> should play a role in this imho, why would it be more of an ISOC
> task
> >>>> than a ICANN task?
> >>>>
> >>>>
> >>>> > My question would be what is the thing that needs to be done to
> >>>> > promote adoption, and from what I have seen so far its usually
> risk
> >>>> > aversion on the business side, and that’s not something that we
> can
> >>>> > do much about from the ICANN side of things, something I feel
> ISOC
> >>>> > should focus on more tho.
> >>>>
> >>>> Business aversion is also because it's hard, and thus will cost
> more
> >>>> time. Also: more risk because it might break. This does not
> balance well
> >>>> with the increased trust gained with DNSSEC. We can help tip this
> scale
> >>>> by making implementation easier through good documentation, no?
> Looks
> >>>> like an ICANN task par excellence to me!
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Niels
> >>>>
> >>>>
> >>>> >
> >>>> > -J
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> >>>> > On 26/05/2016, 11:03, "Niels ten Oever"
> >>>> <[log in to unmask] <mailto:[log in to unmask]
> >>
> >>>> > wrote:
> >>>> >
> >>>> >> Do you mean you would like to hear names of registrars that are
> >>>> >> not offering DNSSEC ? Am afraid it is the majority of the SME
> >>>> >> registrars / hosting providers.
> >>>> >>
> >>>> >> Cheers,
> >>>> >>
> >>>> >> Niels
> >>>> >>
> >>>> >> On 05/26/2016 11:57 AM, James Gannon wrote:
> >>>> >>> Have you got any specific examples?
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten
> Oever"
> >>>> >>> <[log in to unmask]
> >>>> <mailto:[log in to unmask]> on behalf of
> >>>> >>> [log in to unmask]
> >>>> <mailto:[log in to unmask]>> wrote:
> >>>> >>>
> >>>> >>>> Hi all,
> >>>> >>>>
> >>>> >>>> I have been talking to several registrars (especially smaller
> >>>> >>>> ones that provide a lot of support to NGOs), that do not
> >>>> >>>> provide DNSSEC yet as part of their service.
> >>>> >>>>
> >>>> >>>> The story that I keep on hearing is that even the most
> >>>> >>>> experienced engineers have issues with understanding the
> >>>> >>>> configuration of the KSK and Zone signing keys and the key
> >>>> >>>> rollover, inconsistencies in documentation and therefore lack
> >>>> >>>> of adoption, because in case of a mistake this might
> seriously
> >>>> >>>> impact the production environment.
> >>>> >>>>
> >>>> >>>> I think the adoption of DNSSEC is an issue we should care
> about
> >>>> >>>> because it has the potential to radically increase trust in
> the
> >>>> >>>> DNS system.
> >>>> >>>>
> >>>> >>>> Is this an issue you all recognize, and do you know how / if
> >>>> >>>> ICANN makes (or can make) this easier?
> >>>> >>>>
> >>>> >>>> Best,
> >>>> >>>>
> >>>> >>>> Niels
> >>>> >>>>
> >>>> >>>>
> >>>> >>>> -- Niels ten Oever Head of Digital
> >>>> >>>>
> >>>> >>>> Article 19 www.article19.org <http://www.article19.org>
> >>>> >>>>
> >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2
> 636D
> >>>> >>>> 68E9
> >>>> >>>>
> >>>> >>
> >>>> >> -- Niels ten Oever Head of Digital
> >>>> >>
> >>>> >> Article 19 www.article19.org <http://www.article19.org>
> >>>> >>
> >>>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
> >>>> >> 68E9
> >>>>
> >>>> --
> >>>> Niels ten Oever
> >>>> Head of Digital
> >>>>
> >>>> Article 19
> >>>> www.article19.org <http://www.article19.org>
> >>>>
> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
> >>>> 678B 08B5 A0F2 636D 68E9
> >>>>
> >>>>
> >>>
> >>> --
> >>> Niels ten Oever
> >>> Head of Digital
> >>>
> >>> Article 19
> >>> www.article19.org
> >>>
> >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4
> >>> 678B 08B5 A0F2 636D 68E9
> >
> >--
> >Niels ten Oever
> >Head of Digital
> >
> >Article 19
> >www.article19.org
> >
> >PGP fingerprint 8D9F C567 BEE4 A431 56C4
> > 678B 08B5 A0F2 636D 68E9
>
--
Farzaneh
|