LISTSERV - NCSG-DISCUSS Archives

Oh and also the DNSSEC workshops http://www.dnssec-deployment.org/ are another resource.

-j




On 26/05/2016, 11:12, "NCSG-Discuss on behalf of James Gannon" <[log in to unmask] on behalf of [log in to unmask]> wrote:

>No sorry what are the specific issues, i.e. In understanding the KSK and ZSK keys, in documentation etc? Do DNS engineers at hosting companies really not understand it?
>
>Because there is a large amount of documentation out there for example on configuring DNSSEC in Bind and while yes deploying at scale is a risk that registrars would need to analysise and take an internal risk position on Im not sure I understand the ‘even the most experienced engineers don’t understand it’ part of the question.
>
>The rest I do for sure, adoption of DNSSEC is a big topic, but there is huge amount son work going on in both ICANN and ISOC supporting registrars who wish to move down that path in a stable and secure path. ISOC has documentation specifically targeting at registrars http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ I know the RrSG has done some work for ones that are involved in that, there is also Deplay360 from ISOC http://www.internetsociety.org/deploy360/dnssec/ and a lot of community support behind it from a technical perspective for those interested. 
>
>My question would be what is the thing that needs to be done to promote adoption, and from what I have seen so far its usually risk aversion on the business side, and that’s not something that we can do much about from the ICANN side of things, something I feel ISOC should focus on more tho.
>
>-J
>
>
>
>
>On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> wrote:
>
>>Do you mean you would like to hear names of registrars that are not
>>offering DNSSEC ? Am afraid it is the majority of the SME registrars /
>>hosting providers.
>>
>>Cheers,
>>
>>Niels
>>
>>On 05/26/2016 11:57 AM, James Gannon wrote:
>>> Have you got any specific examples?
>>> 
>>> 
>>> 
>>> 
>>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>>> 
>>>> Hi all,
>>>>
>>>> I have been talking to several registrars (especially smaller ones that
>>>> provide a lot of support to NGOs), that do not provide DNSSEC yet as
>>>> part of their service.
>>>>
>>>> The story that I keep on hearing is that even the most experienced
>>>> engineers have issues with understanding the configuration of the KSK
>>>> and Zone signing keys and the key rollover, inconsistencies in
>>>> documentation and therefore lack of adoption, because in case of a
>>>> mistake this might seriously impact the production environment.
>>>>
>>>> I think the adoption of DNSSEC is an issue we should care about because
>>>> it has the potential to radically increase trust in the DNS system.
>>>>
>>>> Is this an issue you all recognize, and do you know how / if ICANN makes
>>>> (or can make) this easier?
>>>>
>>>> Best,
>>>>
>>>> Niels
>>>>
>>>>
>>>> -- 
>>>> Niels ten Oever
>>>> Head of Digital
>>>>
>>>> Article 19
>>>> www.article19.org
>>>>
>>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>>>                   678B 08B5 A0F2 636D 68E9
>>>>
>>
>>-- 
>>Niels ten Oever
>>Head of Digital
>>
>>Article 19
>>www.article19.org
>>
>>PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>                   678B 08B5 A0F2 636D 68E9