No sorry what are the specific issues, i.e. In understanding the KSK and ZSK keys, in documentation etc? Do DNS engineers at hosting companies really not understand it? Because there is a large amount of documentation out there for example on configuring DNSSEC in Bind and while yes deploying at scale is a risk that registrars would need to analysise and take an internal risk position on Im not sure I understand the ‘even the most experienced engineers don’t understand it’ part of the question. The rest I do for sure, adoption of DNSSEC is a big topic, but there is huge amount son work going on in both ICANN and ISOC supporting registrars who wish to move down that path in a stable and secure path. ISOC has documentation specifically targeting at registrars http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ I know the RrSG has done some work for ones that are involved in that, there is also Deplay360 from ISOC http://www.internetsociety.org/deploy360/dnssec/ and a lot of community support behind it from a technical perspective for those interested. My question would be what is the thing that needs to be done to promote adoption, and from what I have seen so far its usually risk aversion on the business side, and that’s not something that we can do much about from the ICANN side of things, something I feel ISOC should focus on more tho. -J On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> wrote: >Do you mean you would like to hear names of registrars that are not >offering DNSSEC ? Am afraid it is the majority of the SME registrars / >hosting providers. > >Cheers, > >Niels > >On 05/26/2016 11:57 AM, James Gannon wrote: >> Have you got any specific examples? >> >> >> >> >> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote: >> >>> Hi all, >>> >>> I have been talking to several registrars (especially smaller ones that >>> provide a lot of support to NGOs), that do not provide DNSSEC yet as >>> part of their service. >>> >>> The story that I keep on hearing is that even the most experienced >>> engineers have issues with understanding the configuration of the KSK >>> and Zone signing keys and the key rollover, inconsistencies in >>> documentation and therefore lack of adoption, because in case of a >>> mistake this might seriously impact the production environment. >>> >>> I think the adoption of DNSSEC is an issue we should care about because >>> it has the potential to radically increase trust in the DNS system. >>> >>> Is this an issue you all recognize, and do you know how / if ICANN makes >>> (or can make) this easier? >>> >>> Best, >>> >>> Niels >>> >>> >>> -- >>> Niels ten Oever >>> Head of Digital >>> >>> Article 19 >>> www.article19.org >>> >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >>> 678B 08B5 A0F2 636D 68E9 >>> > >-- >Niels ten Oever >Head of Digital > >Article 19 >www.article19.org > >PGP fingerprint 8D9F C567 BEE4 A431 56C4 > 678B 08B5 A0F2 636D 68E9