I like that idea. Lets try and gather some info before Helsinki and see if this is something we need to put time into and where our time is best spent.



-jg









On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]> wrote:



>Perhaps we can reach out to Michele and see where this is on their

>agenda? Shall I do so? Do other people share this concern?

>

>Cheers,

>

>Niels

>

>On 05/27/2016 02:38 PM, James Gannon wrote:

>> Agreed, so do I see you volunteering to lead this effort? =)

>> Happy to assist/help out where I can!

>> 

>> -JG

>> 

>> 

>> 

>> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:

>> 

>>> Hi Rafik,

>>>

>>> The DNSSEC for Everybody is great and fun, but it's more a very rough

>>> 101. The DNSSEC workshop is also great, but it doesn't help you when you

>>> are behind a production terminal. Good documentation is needed. Or we

>>> need to find out better why adoption levels are so low.

>>>

>>> Is this something we can bring up?

>>>

>>> I think this is especially an issue for the NCSG because NGO's,

>>> activists and individual users will greatly benefit from increased

>>> trust, and more protection against DNS poisoining. With the enormous

>>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5

>>> million domains) DNSSEC is the next logical step, and adoption is still

>>> _very_ low.

>>>

>>> Cheers,

>>>

>>> Niels

>>>

>>>

>>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:

>>>> Hi Niels,

>>>>

>>>> ICANN organizes regularly for many years now in each ICANN meeting 2

>>>> DNSSec sessions related:

>>>>

>>>>   * DNSSEC Workshop

>>>>   * DNSSEC for Everybody: A Beginner's Guide 

>>>>

>>>> there are also also DNSSec session during conferences like African

>>>> Internet Summit (https://internetsummitafrica.org/programme/agenda),

>>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum

>>>> . my understanding is that ICANN tech team helped some ccTLD

>>>> operators http://dnssec-africa.org/ 

>>>>

>>>> I don't think there are specific activities toward registrars per se.

>>>>

>>>> Best,

>>>>

>>>> Rafik

>>>>

>>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]

>>>> <mailto:[log in to unmask]>>:

>>>>

>>>>     Hi James,

>>>>

>>>>     On 05/26/2016 12:12 PM, James Gannon wrote:

>>>>     > No sorry what are the specific issues, i.e. In understanding the KSK

>>>>     > and ZSK keys, in documentation etc? Do DNS engineers at hosting

>>>>     > companies really not understand it?

>>>>     >

>>>>     > Because there is a large amount of documentation out there for

>>>>     > example on configuring DNSSEC in Bind and while yes deploying at

>>>>     > scale is a risk that registrars would need to analysise and take an

>>>>     > internal risk position on Im not sure I understand the ‘even the most

>>>>     > experienced engineers don’t understand it’ part of the question.

>>>>     >

>>>>     > The rest I do for sure, adoption of DNSSEC is a big topic, but there

>>>>     > is huge amount son work going on in both ICANN and ISOC supporting

>>>>     > registrars who wish to move down that path in a stable and secure

>>>>     > path. ISOC has documentation specifically targeting at registrars

>>>>     > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/

>>>>     > I know the RrSG has done some work for ones that are involved in

>>>>     > that, there is also Deplay360 from ISOC

>>>>     > http://www.internetsociety.org/deploy360/dnssec/ and a lot of

>>>>     > community support behind it from a technical perspective for those

>>>>     > interested.

>>>>     >

>>>>

>>>>     Have been clicking through the ISOC site, but I cannot find a proper

>>>>     how-to or documentation for an indepdendent registrar anywhere.

>>>>

>>>>     I think we should push harder for DNSSEC adoption, and ICANN can and

>>>>     should play a role in this imho, why would it be more of an ISOC task

>>>>     than a ICANN task?

>>>>

>>>>

>>>>     > My question would be what is the thing that needs to be done to

>>>>     > promote adoption, and from what I have seen so far its usually risk

>>>>     > aversion on the business side, and that’s not something that we can

>>>>     > do much about from the ICANN side of things, something I feel ISOC

>>>>     > should focus on more tho.

>>>>

>>>>     Business aversion is also because it's hard, and thus will cost more

>>>>     time. Also: more risk because it might break. This does not balance well

>>>>     with the increased trust gained with DNSSEC. We can help tip this scale

>>>>     by making implementation easier through good documentation, no? Looks

>>>>     like an ICANN task par excellence to me!

>>>>

>>>>     Cheers,

>>>>

>>>>     Niels

>>>>

>>>>

>>>>     >

>>>>     > -J

>>>>     >

>>>>     >

>>>>     >

>>>>     >

>>>>     > On 26/05/2016, 11:03, "Niels ten Oever"

>>>>     <[log in to unmask] <mailto:[log in to unmask]>>

>>>>     > wrote:

>>>>     >

>>>>     >> Do you mean you would like to hear names of registrars that are

>>>>     >> not offering DNSSEC ? Am afraid it is the majority of the SME

>>>>     >> registrars / hosting providers.

>>>>     >>

>>>>     >> Cheers,

>>>>     >>

>>>>     >> Niels

>>>>     >>

>>>>     >> On 05/26/2016 11:57 AM, James Gannon wrote:

>>>>     >>> Have you got any specific examples?

>>>>     >>>

>>>>     >>>

>>>>     >>>

>>>>     >>>

>>>>     >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"

>>>>     >>> <[log in to unmask]

>>>>     <mailto:[log in to unmask]> on behalf of

>>>>     >>> [log in to unmask]

>>>>     <mailto:[log in to unmask]>> wrote:

>>>>     >>>

>>>>     >>>> Hi all,

>>>>     >>>>

>>>>     >>>> I have been talking to several registrars (especially smaller

>>>>     >>>> ones that provide a lot of support to NGOs), that do not

>>>>     >>>> provide DNSSEC yet as part of their service.

>>>>     >>>>

>>>>     >>>> The story that I keep on hearing is that even the most

>>>>     >>>> experienced engineers have issues with understanding the

>>>>     >>>> configuration of the KSK and Zone signing keys and the key

>>>>     >>>> rollover, inconsistencies in documentation and therefore lack

>>>>     >>>> of adoption, because in case of a mistake this might seriously

>>>>     >>>> impact the production environment.

>>>>     >>>>

>>>>     >>>> I think the adoption of DNSSEC is an issue we should care about

>>>>     >>>> because it has the potential to radically increase trust in the

>>>>     >>>> DNS system.

>>>>     >>>>

>>>>     >>>> Is this an issue you all recognize, and do you know how / if

>>>>     >>>> ICANN makes (or can make) this easier?

>>>>     >>>>

>>>>     >>>> Best,

>>>>     >>>>

>>>>     >>>> Niels

>>>>     >>>>

>>>>     >>>>

>>>>     >>>> -- Niels ten Oever Head of Digital

>>>>     >>>>

>>>>     >>>> Article 19 www.article19.org <http://www.article19.org>

>>>>     >>>>

>>>>     >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D

>>>>     >>>> 68E9

>>>>     >>>>

>>>>     >>

>>>>     >> -- Niels ten Oever Head of Digital

>>>>     >>

>>>>     >> Article 19 www.article19.org <http://www.article19.org>

>>>>     >>

>>>>     >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D

>>>>     >> 68E9

>>>>

>>>>     --

>>>>     Niels ten Oever

>>>>     Head of Digital

>>>>

>>>>     Article 19

>>>>     www.article19.org <http://www.article19.org>

>>>>

>>>>     PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>>>                        678B 08B5 A0F2 636D 68E9

>>>>

>>>>

>>>

>>> -- 

>>> Niels ten Oever

>>> Head of Digital

>>>

>>> Article 19

>>> www.article19.org

>>>

>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4

>>>                   678B 08B5 A0F2 636D 68E9

>

>-- 

>Niels ten Oever

>Head of Digital

>

>Article 19

>www.article19.org

>

>PGP fingerprint    8D9F C567 BEE4 A431 56C4

>                   678B 08B5 A0F2 636D 68E9