Agreed, so do I see you volunteering to lead this effort? =) Happy to assist/help out where I can! -JG On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote: >Hi Rafik, > >The DNSSEC for Everybody is great and fun, but it's more a very rough >101. The DNSSEC workshop is also great, but it doesn't help you when you >are behind a production terminal. Good documentation is needed. Or we >need to find out better why adoption levels are so low. > >Is this something we can bring up? > >I think this is especially an issue for the NCSG because NGO's, >activists and individual users will greatly benefit from increased >trust, and more protection against DNS poisoining. With the enormous >success of Let's Encrypt (1 milltion certs distributed, covering >2.5 >million domains) DNSSEC is the next logical step, and adoption is still >_very_ low. > >Cheers, > >Niels > > >On 05/27/2016 01:34 PM, Rafik Dammak wrote: >> Hi Niels, >> >> ICANN organizes regularly for many years now in each ICANN meeting 2 >> DNSSec sessions related: >> >> * DNSSEC Workshop >> * DNSSEC for Everybody: A Beginner's Guide >> >> there are also also DNSSec session during conferences like African >> Internet Summit (https://internetsummitafrica.org/programme/agenda), >> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum >> . my understanding is that ICANN tech team helped some ccTLD >> operators http://dnssec-africa.org/ >> >> I don't think there are specific activities toward registrars per se. >> >> Best, >> >> Rafik >> >> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask] >> <mailto:[log in to unmask]>>: >> >> Hi James, >> >> On 05/26/2016 12:12 PM, James Gannon wrote: >> > No sorry what are the specific issues, i.e. In understanding the KSK >> > and ZSK keys, in documentation etc? Do DNS engineers at hosting >> > companies really not understand it? >> > >> > Because there is a large amount of documentation out there for >> > example on configuring DNSSEC in Bind and while yes deploying at >> > scale is a risk that registrars would need to analysise and take an >> > internal risk position on Im not sure I understand the ‘even the most >> > experienced engineers don’t understand it’ part of the question. >> > >> > The rest I do for sure, adoption of DNSSEC is a big topic, but there >> > is huge amount son work going on in both ICANN and ISOC supporting >> > registrars who wish to move down that path in a stable and secure >> > path. ISOC has documentation specifically targeting at registrars >> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ >> > I know the RrSG has done some work for ones that are involved in >> > that, there is also Deplay360 from ISOC >> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of >> > community support behind it from a technical perspective for those >> > interested. >> > >> >> Have been clicking through the ISOC site, but I cannot find a proper >> how-to or documentation for an indepdendent registrar anywhere. >> >> I think we should push harder for DNSSEC adoption, and ICANN can and >> should play a role in this imho, why would it be more of an ISOC task >> than a ICANN task? >> >> >> > My question would be what is the thing that needs to be done to >> > promote adoption, and from what I have seen so far its usually risk >> > aversion on the business side, and that’s not something that we can >> > do much about from the ICANN side of things, something I feel ISOC >> > should focus on more tho. >> >> Business aversion is also because it's hard, and thus will cost more >> time. Also: more risk because it might break. This does not balance well >> with the increased trust gained with DNSSEC. We can help tip this scale >> by making implementation easier through good documentation, no? Looks >> like an ICANN task par excellence to me! >> >> Cheers, >> >> Niels >> >> >> > >> > -J >> > >> > >> > >> > >> > On 26/05/2016, 11:03, "Niels ten Oever" >> <[log in to unmask] <mailto:[log in to unmask]>> >> > wrote: >> > >> >> Do you mean you would like to hear names of registrars that are >> >> not offering DNSSEC ? Am afraid it is the majority of the SME >> >> registrars / hosting providers. >> >> >> >> Cheers, >> >> >> >> Niels >> >> >> >> On 05/26/2016 11:57 AM, James Gannon wrote: >> >>> Have you got any specific examples? >> >>> >> >>> >> >>> >> >>> >> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" >> >>> <[log in to unmask] >> <mailto:[log in to unmask]> on behalf of >> >>> [log in to unmask] >> <mailto:[log in to unmask]>> wrote: >> >>> >> >>>> Hi all, >> >>>> >> >>>> I have been talking to several registrars (especially smaller >> >>>> ones that provide a lot of support to NGOs), that do not >> >>>> provide DNSSEC yet as part of their service. >> >>>> >> >>>> The story that I keep on hearing is that even the most >> >>>> experienced engineers have issues with understanding the >> >>>> configuration of the KSK and Zone signing keys and the key >> >>>> rollover, inconsistencies in documentation and therefore lack >> >>>> of adoption, because in case of a mistake this might seriously >> >>>> impact the production environment. >> >>>> >> >>>> I think the adoption of DNSSEC is an issue we should care about >> >>>> because it has the potential to radically increase trust in the >> >>>> DNS system. >> >>>> >> >>>> Is this an issue you all recognize, and do you know how / if >> >>>> ICANN makes (or can make) this easier? >> >>>> >> >>>> Best, >> >>>> >> >>>> Niels >> >>>> >> >>>> >> >>>> -- Niels ten Oever Head of Digital >> >>>> >> >>>> Article 19 www.article19.org <http://www.article19.org> >> >>>> >> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >> >>>> 68E9 >> >>>> >> >> >> >> -- Niels ten Oever Head of Digital >> >> >> >> Article 19 www.article19.org <http://www.article19.org> >> >> >> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >> >> 68E9 >> >> -- >> Niels ten Oever >> Head of Digital >> >> Article 19 >> www.article19.org <http://www.article19.org> >> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >> 678B 08B5 A0F2 636D 68E9 >> >> > >-- >Niels ten Oever >Head of Digital > >Article 19 >www.article19.org > >PGP fingerprint 8D9F C567 BEE4 A431 56C4 > 678B 08B5 A0F2 636D 68E9