Hi all, I have been talking to several registrars (especially smaller ones that provide a lot of support to NGOs), that do not provide DNSSEC yet as part of their service. The story that I keep on hearing is that even the most experienced engineers have issues with understanding the configuration of the KSK and Zone signing keys and the key rollover, inconsistencies in documentation and therefore lack of adoption, because in case of a mistake this might seriously impact the production environment. I think the adoption of DNSSEC is an issue we should care about because it has the potential to radically increase trust in the DNS system. Is this an issue you all recognize, and do you know how / if ICANN makes (or can make) this easier? Best, Niels -- Niels ten Oever Head of Digital Article 19 www.article19.org PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9