Oh and also the DNSSEC workshops http://www.dnssec-deployment.org/ are another resource. -j On 26/05/2016, 11:12, "NCSG-Discuss on behalf of James Gannon" <[log in to unmask] on behalf of [log in to unmask]> wrote: >No sorry what are the specific issues, i.e. In understanding the KSK and ZSK keys, in documentation etc? Do DNS engineers at hosting companies really not understand it? > >Because there is a large amount of documentation out there for example on configuring DNSSEC in Bind and while yes deploying at scale is a risk that registrars would need to analysise and take an internal risk position on Im not sure I understand the ‘even the most experienced engineers don’t understand it’ part of the question. > >The rest I do for sure, adoption of DNSSEC is a big topic, but there is huge amount son work going on in both ICANN and ISOC supporting registrars who wish to move down that path in a stable and secure path. ISOC has documentation specifically targeting at registrars http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ I know the RrSG has done some work for ones that are involved in that, there is also Deplay360 from ISOC http://www.internetsociety.org/deploy360/dnssec/ and a lot of community support behind it from a technical perspective for those interested. > >My question would be what is the thing that needs to be done to promote adoption, and from what I have seen so far its usually risk aversion on the business side, and that’s not something that we can do much about from the ICANN side of things, something I feel ISOC should focus on more tho. > >-J > > > > >On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> wrote: > >>Do you mean you would like to hear names of registrars that are not >>offering DNSSEC ? Am afraid it is the majority of the SME registrars / >>hosting providers. >> >>Cheers, >> >>Niels >> >>On 05/26/2016 11:57 AM, James Gannon wrote: >>> Have you got any specific examples? >>> >>> >>> >>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote: >>> >>>> Hi all, >>>> >>>> I have been talking to several registrars (especially smaller ones that >>>> provide a lot of support to NGOs), that do not provide DNSSEC yet as >>>> part of their service. >>>> >>>> The story that I keep on hearing is that even the most experienced >>>> engineers have issues with understanding the configuration of the KSK >>>> and Zone signing keys and the key rollover, inconsistencies in >>>> documentation and therefore lack of adoption, because in case of a >>>> mistake this might seriously impact the production environment. >>>> >>>> I think the adoption of DNSSEC is an issue we should care about because >>>> it has the potential to radically increase trust in the DNS system. >>>> >>>> Is this an issue you all recognize, and do you know how / if ICANN makes >>>> (or can make) this easier? >>>> >>>> Best, >>>> >>>> Niels >>>> >>>> >>>> -- >>>> Niels ten Oever >>>> Head of Digital >>>> >>>> Article 19 >>>> www.article19.org >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >>>> 678B 08B5 A0F2 636D 68E9 >>>> >> >>-- >>Niels ten Oever >>Head of Digital >> >>Article 19 >>www.article19.org >> >>PGP fingerprint 8D9F C567 BEE4 A431 56C4 >> 678B 08B5 A0F2 636D 68E9