All,


On Fri, May 27, 2016 at 7:46 AM, Niels ten Oever
<[log in to unmask]> wrote:
> Hi Rafik,
>
> The DNSSEC for Everybody is great and fun, but it's more a very rough
> 101. The DNSSEC workshop is also great, but it doesn't help you when you
> are behind a production terminal. Good documentation is needed.


There is plenty of good documentation, in BIND KB, for UNBOUND, for
Windows DNS, on dnssec-deploy site, deploy360 and many, many others.


 Or we
> need to find out better why adoption levels are so low.


This is a more productive path for NCSG to follow.

Adoption levels are low because it is hard.

There is little to no payoff AND it costs (some) money and involves real risks.

The benefits accrue mostly to others.

ICANN/ISOC/RIRs and other I*s have been trying to get people to "take
their medicine" for years.

There is zero reason for NCSG to re-invent this particular wheel.



>
> Is this something we can bring up?
>
> I think this is especially an issue for the NCSG because NGO's,
> activists and individual users will greatly benefit from increased
> trust, and more protection against DNS poisoining. With the enormous
> success of Let's Encrypt (1 milltion certs distributed, covering >2.5
> million domains) DNSSEC is the next logical step, and adoption is still
> _very_ low.


DANE is the next logical step post DNSSEC.  Let's Encrypt is cool tho.


-- 
Cheers,

McTim
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there."  Jon Postel