I like that idea. Lets try and gather some info before Helsinki and see if this is something we need to put time into and where our time is best spent. -jg On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]> wrote: >Perhaps we can reach out to Michele and see where this is on their >agenda? Shall I do so? Do other people share this concern? > >Cheers, > >Niels > >On 05/27/2016 02:38 PM, James Gannon wrote: >> Agreed, so do I see you volunteering to lead this effort? =) >> Happy to assist/help out where I can! >> >> -JG >> >> >> >> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote: >> >>> Hi Rafik, >>> >>> The DNSSEC for Everybody is great and fun, but it's more a very rough >>> 101. The DNSSEC workshop is also great, but it doesn't help you when you >>> are behind a production terminal. Good documentation is needed. Or we >>> need to find out better why adoption levels are so low. >>> >>> Is this something we can bring up? >>> >>> I think this is especially an issue for the NCSG because NGO's, >>> activists and individual users will greatly benefit from increased >>> trust, and more protection against DNS poisoining. With the enormous >>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5 >>> million domains) DNSSEC is the next logical step, and adoption is still >>> _very_ low. >>> >>> Cheers, >>> >>> Niels >>> >>> >>> On 05/27/2016 01:34 PM, Rafik Dammak wrote: >>>> Hi Niels, >>>> >>>> ICANN organizes regularly for many years now in each ICANN meeting 2 >>>> DNSSec sessions related: >>>> >>>> * DNSSEC Workshop >>>> * DNSSEC for Everybody: A Beginner's Guide >>>> >>>> there are also also DNSSec session during conferences like African >>>> Internet Summit (https://internetsummitafrica.org/programme/agenda), >>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum >>>> . my understanding is that ICANN tech team helped some ccTLD >>>> operators http://dnssec-africa.org/ >>>> >>>> I don't think there are specific activities toward registrars per se. >>>> >>>> Best, >>>> >>>> Rafik >>>> >>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask] >>>> <mailto:[log in to unmask]>>: >>>> >>>> Hi James, >>>> >>>> On 05/26/2016 12:12 PM, James Gannon wrote: >>>> > No sorry what are the specific issues, i.e. In understanding the KSK >>>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting >>>> > companies really not understand it? >>>> > >>>> > Because there is a large amount of documentation out there for >>>> > example on configuring DNSSEC in Bind and while yes deploying at >>>> > scale is a risk that registrars would need to analysise and take an >>>> > internal risk position on Im not sure I understand the ‘even the most >>>> > experienced engineers don’t understand it’ part of the question. >>>> > >>>> > The rest I do for sure, adoption of DNSSEC is a big topic, but there >>>> > is huge amount son work going on in both ICANN and ISOC supporting >>>> > registrars who wish to move down that path in a stable and secure >>>> > path. ISOC has documentation specifically targeting at registrars >>>> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ >>>> > I know the RrSG has done some work for ones that are involved in >>>> > that, there is also Deplay360 from ISOC >>>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of >>>> > community support behind it from a technical perspective for those >>>> > interested. >>>> > >>>> >>>> Have been clicking through the ISOC site, but I cannot find a proper >>>> how-to or documentation for an indepdendent registrar anywhere. >>>> >>>> I think we should push harder for DNSSEC adoption, and ICANN can and >>>> should play a role in this imho, why would it be more of an ISOC task >>>> than a ICANN task? >>>> >>>> >>>> > My question would be what is the thing that needs to be done to >>>> > promote adoption, and from what I have seen so far its usually risk >>>> > aversion on the business side, and that’s not something that we can >>>> > do much about from the ICANN side of things, something I feel ISOC >>>> > should focus on more tho. >>>> >>>> Business aversion is also because it's hard, and thus will cost more >>>> time. Also: more risk because it might break. This does not balance well >>>> with the increased trust gained with DNSSEC. We can help tip this scale >>>> by making implementation easier through good documentation, no? Looks >>>> like an ICANN task par excellence to me! >>>> >>>> Cheers, >>>> >>>> Niels >>>> >>>> >>>> > >>>> > -J >>>> > >>>> > >>>> > >>>> > >>>> > On 26/05/2016, 11:03, "Niels ten Oever" >>>> <[log in to unmask] <mailto:[log in to unmask]>> >>>> > wrote: >>>> > >>>> >> Do you mean you would like to hear names of registrars that are >>>> >> not offering DNSSEC ? Am afraid it is the majority of the SME >>>> >> registrars / hosting providers. >>>> >> >>>> >> Cheers, >>>> >> >>>> >> Niels >>>> >> >>>> >> On 05/26/2016 11:57 AM, James Gannon wrote: >>>> >>> Have you got any specific examples? >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" >>>> >>> <[log in to unmask] >>>> <mailto:[log in to unmask]> on behalf of >>>> >>> [log in to unmask] >>>> <mailto:[log in to unmask]>> wrote: >>>> >>> >>>> >>>> Hi all, >>>> >>>> >>>> >>>> I have been talking to several registrars (especially smaller >>>> >>>> ones that provide a lot of support to NGOs), that do not >>>> >>>> provide DNSSEC yet as part of their service. >>>> >>>> >>>> >>>> The story that I keep on hearing is that even the most >>>> >>>> experienced engineers have issues with understanding the >>>> >>>> configuration of the KSK and Zone signing keys and the key >>>> >>>> rollover, inconsistencies in documentation and therefore lack >>>> >>>> of adoption, because in case of a mistake this might seriously >>>> >>>> impact the production environment. >>>> >>>> >>>> >>>> I think the adoption of DNSSEC is an issue we should care about >>>> >>>> because it has the potential to radically increase trust in the >>>> >>>> DNS system. >>>> >>>> >>>> >>>> Is this an issue you all recognize, and do you know how / if >>>> >>>> ICANN makes (or can make) this easier? >>>> >>>> >>>> >>>> Best, >>>> >>>> >>>> >>>> Niels >>>> >>>> >>>> >>>> >>>> >>>> -- Niels ten Oever Head of Digital >>>> >>>> >>>> >>>> Article 19 www.article19.org <http://www.article19.org> >>>> >>>> >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >>>> >>>> 68E9 >>>> >>>> >>>> >> >>>> >> -- Niels ten Oever Head of Digital >>>> >> >>>> >> Article 19 www.article19.org <http://www.article19.org> >>>> >> >>>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >>>> >> 68E9 >>>> >>>> -- >>>> Niels ten Oever >>>> Head of Digital >>>> >>>> Article 19 >>>> www.article19.org <http://www.article19.org> >>>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >>>> 678B 08B5 A0F2 636D 68E9 >>>> >>>> >>> >>> -- >>> Niels ten Oever >>> Head of Digital >>> >>> Article 19 >>> www.article19.org >>> >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >>> 678B 08B5 A0F2 636D 68E9 > >-- >Niels ten Oever >Head of Digital > >Article 19 >www.article19.org > >PGP fingerprint 8D9F C567 BEE4 A431 56C4 > 678B 08B5 A0F2 636D 68E9