Hi Niels, ICANN organizes regularly for many years now in each ICANN meeting 2 DNSSec sessions related: - DNSSEC Workshop - DNSSEC for Everybody: A Beginner's Guide there are also also DNSSec session during conferences like African Internet Summit (https://internetsummitafrica.org/programme/agenda), https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum . my understanding is that ICANN tech team helped some ccTLD operators http://dnssec-africa.org/ I don't think there are specific activities toward registrars per se. Best, Rafik 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]>: > Hi James, > > On 05/26/2016 12:12 PM, James Gannon wrote: > > No sorry what are the specific issues, i.e. In understanding the KSK > > and ZSK keys, in documentation etc? Do DNS engineers at hosting > > companies really not understand it? > > > > Because there is a large amount of documentation out there for > > example on configuring DNSSEC in Bind and while yes deploying at > > scale is a risk that registrars would need to analysise and take an > > internal risk position on Im not sure I understand the ‘even the most > > experienced engineers don’t understand it’ part of the question. > > > > The rest I do for sure, adoption of DNSSEC is a big topic, but there > > is huge amount son work going on in both ICANN and ISOC supporting > > registrars who wish to move down that path in a stable and secure > > path. ISOC has documentation specifically targeting at registrars > > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ > > I know the RrSG has done some work for ones that are involved in > > that, there is also Deplay360 from ISOC > > http://www.internetsociety.org/deploy360/dnssec/ and a lot of > > community support behind it from a technical perspective for those > > interested. > > > > Have been clicking through the ISOC site, but I cannot find a proper > how-to or documentation for an indepdendent registrar anywhere. > > I think we should push harder for DNSSEC adoption, and ICANN can and > should play a role in this imho, why would it be more of an ISOC task > than a ICANN task? > > > > My question would be what is the thing that needs to be done to > > promote adoption, and from what I have seen so far its usually risk > > aversion on the business side, and that’s not something that we can > > do much about from the ICANN side of things, something I feel ISOC > > should focus on more tho. > > Business aversion is also because it's hard, and thus will cost more > time. Also: more risk because it might break. This does not balance well > with the increased trust gained with DNSSEC. We can help tip this scale > by making implementation easier through good documentation, no? Looks > like an ICANN task par excellence to me! > > Cheers, > > Niels > > > > > > -J > > > > > > > > > > On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]> > > wrote: > > > >> Do you mean you would like to hear names of registrars that are > >> not offering DNSSEC ? Am afraid it is the majority of the SME > >> registrars / hosting providers. > >> > >> Cheers, > >> > >> Niels > >> > >> On 05/26/2016 11:57 AM, James Gannon wrote: > >>> Have you got any specific examples? > >>> > >>> > >>> > >>> > >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" > >>> <[log in to unmask] on behalf of > >>> [log in to unmask]> wrote: > >>> > >>>> Hi all, > >>>> > >>>> I have been talking to several registrars (especially smaller > >>>> ones that provide a lot of support to NGOs), that do not > >>>> provide DNSSEC yet as part of their service. > >>>> > >>>> The story that I keep on hearing is that even the most > >>>> experienced engineers have issues with understanding the > >>>> configuration of the KSK and Zone signing keys and the key > >>>> rollover, inconsistencies in documentation and therefore lack > >>>> of adoption, because in case of a mistake this might seriously > >>>> impact the production environment. > >>>> > >>>> I think the adoption of DNSSEC is an issue we should care about > >>>> because it has the potential to radically increase trust in the > >>>> DNS system. > >>>> > >>>> Is this an issue you all recognize, and do you know how / if > >>>> ICANN makes (or can make) this easier? > >>>> > >>>> Best, > >>>> > >>>> Niels > >>>> > >>>> > >>>> -- Niels ten Oever Head of Digital > >>>> > >>>> Article 19 www.article19.org > >>>> > >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D > >>>> 68E9 > >>>> > >> > >> -- Niels ten Oever Head of Digital > >> > >> Article 19 www.article19.org > >> > >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D > >> 68E9 > > -- > Niels ten Oever > Head of Digital > > Article 19 > www.article19.org > > PGP fingerprint 8D9F C567 BEE4 A431 56C4 > 678B 08B5 A0F2 636D 68E9 >