NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: DNSSEC key rollover issues
From:
James Gannon <[log in to unmask]>
Reply To:
James Gannon <[log in to unmask]>
Date:
Thu, 26 May 2016 10:14:27 +0000
Content-Type:
text/plain
Parts/Attachments:
text/plain (1 lines) 
Oh and also the DNSSEC workshops http://www.dnssec-deployment.org/ are another resource.



-j









On 26/05/2016, 11:12, "NCSG-Discuss on behalf of James Gannon" <[log in to unmask] on behalf of [log in to unmask]> wrote:



>No sorry what are the specific issues, i.e. In understanding the KSK and ZSK keys, in documentation etc? Do DNS engineers at hosting companies really not understand it?

>

>Because there is a large amount of documentation out there for example on configuring DNSSEC in Bind and while yes deploying at scale is a risk that registrars would need to analysise and take an internal risk position on Im not sure I understand the ‘even the most experienced engineers don’t understand it’ part of the question.

>

>The rest I do for sure, adoption of DNSSEC is a big topic, but there is huge amount son work going on in both ICANN and ISOC supporting registrars who wish to move down that path in a stable and secure path. ISOC has documentation specifically targeting at registrars http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ I know the RrSG has done some work for ones that are involved in that, there is also Deplay360 from ISOC http://www.internetsociety.org/deploy360/dnssec/ and a lot of community support behind it from a technical perspective for those interested. 

>

>My question would be what is the thing that needs to be done to promote adoption, and from what I have seen so far its usually risk aversion on the business side, and that’s not something that we can do much about from the ICANN side of things, something I feel ISOC should focus on more tho.

>

>-J

>

>

>

>

>On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> wrote:

>

>>Do you mean you would like to hear names of registrars that are not

>>offering DNSSEC ? Am afraid it is the majority of the SME registrars /

>>hosting providers.

>>

>>Cheers,

>>

>>Niels

>>

>>On 05/26/2016 11:57 AM, James Gannon wrote:

>>> Have you got any specific examples?

>>> 

>>> 

>>> 

>>> 

>>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:

>>> 

>>>> Hi all,

>>>>

>>>> I have been talking to several registrars (especially smaller ones that

>>>> provide a lot of support to NGOs), that do not provide DNSSEC yet as

>>>> part of their service.

>>>>

>>>> The story that I keep on hearing is that even the most experienced

>>>> engineers have issues with understanding the configuration of the KSK

>>>> and Zone signing keys and the key rollover, inconsistencies in

>>>> documentation and therefore lack of adoption, because in case of a

>>>> mistake this might seriously impact the production environment.

>>>>

>>>> I think the adoption of DNSSEC is an issue we should care about because

>>>> it has the potential to radically increase trust in the DNS system.

>>>>

>>>> Is this an issue you all recognize, and do you know how / if ICANN makes

>>>> (or can make) this easier?

>>>>

>>>> Best,

>>>>

>>>> Niels

>>>>

>>>>

>>>> -- 

>>>> Niels ten Oever

>>>> Head of Digital

>>>>

>>>> Article 19

>>>> www.article19.org

>>>>

>>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>>>                   678B 08B5 A0F2 636D 68E9

>>>>

>>

>>-- 

>>Niels ten Oever

>>Head of Digital

>>

>>Article 19

>>www.article19.org

>>

>>PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>                   678B 08B5 A0F2 636D 68E9

ATOM RSS1 RSS2