LISTSERV - NCSG-DISCUSS Archives

Hi Niels,

ICANN organizes regularly for many years now in each ICANN meeting 2 DNSSec
sessions related:

   - DNSSEC Workshop
   - DNSSEC for Everybody: A Beginner's Guide

there are also also DNSSec session during conferences like African Internet
Summit (https://internetsummitafrica.org/programme/agenda),
https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum .
my understanding is that ICANN tech team helped some ccTLD operators
http://dnssec-africa.org/

I don't think there are specific activities toward registrars per se.

Best,

Rafik

2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]>:

> Hi James,
>
> On 05/26/2016 12:12 PM, James Gannon wrote:
> > No sorry what are the specific issues, i.e. In understanding the KSK
> > and ZSK keys, in documentation etc? Do DNS engineers at hosting
> > companies really not understand it?
> >
> > Because there is a large amount of documentation out there for
> > example on configuring DNSSEC in Bind and while yes deploying at
> > scale is a risk that registrars would need to analysise and take an
> > internal risk position on Im not sure I understand the ‘even the most
> > experienced engineers don’t understand it’ part of the question.
> >
> > The rest I do for sure, adoption of DNSSEC is a big topic, but there
> > is huge amount son work going on in both ICANN and ISOC supporting
> > registrars who wish to move down that path in a stable and secure
> > path. ISOC has documentation specifically targeting at registrars
> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
> > I know the RrSG has done some work for ones that are involved in
> > that, there is also Deplay360 from ISOC
> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
> > community support behind it from a technical perspective for those
> > interested.
> >
>
> Have been clicking through the ISOC site, but I cannot find a proper
> how-to or documentation for an indepdendent registrar anywhere.
>
> I think we should push harder for DNSSEC adoption, and ICANN can and
> should play a role in this imho, why would it be more of an ISOC task
> than a ICANN task?
>
>
> > My question would be what is the thing that needs to be done to
> > promote adoption, and from what I have seen so far its usually risk
> > aversion on the business side, and that’s not something that we can
> > do much about from the ICANN side of things, something I feel ISOC
> > should focus on more tho.
>
> Business aversion is also because it's hard, and thus will cost more
> time. Also: more risk because it might break. This does not balance well
> with the increased trust gained with DNSSEC. We can help tip this scale
> by making implementation easier through good documentation, no? Looks
> like an ICANN task par excellence to me!
>
> Cheers,
>
> Niels
>
>
> >
> > -J
> >
> >
> >
> >
> > On 26/05/2016, 11:03, "Niels ten Oever" <[log in to unmask]>
> > wrote:
> >
> >> Do you mean you would like to hear names of registrars that are
> >> not offering DNSSEC ? Am afraid it is the majority of the SME
> >> registrars / hosting providers.
> >>
> >> Cheers,
> >>
> >> Niels
> >>
> >> On 05/26/2016 11:57 AM, James Gannon wrote:
> >>> Have you got any specific examples?
> >>>
> >>>
> >>>
> >>>
> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
> >>> <[log in to unmask] on behalf of
> >>> [log in to unmask]> wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> I have been talking to several registrars (especially smaller
> >>>> ones that provide a lot of support to NGOs), that do not
> >>>> provide DNSSEC yet as part of their service.
> >>>>
> >>>> The story that I keep on hearing is that even the most
> >>>> experienced engineers have issues with understanding the
> >>>> configuration of the KSK and Zone signing keys and the key
> >>>> rollover, inconsistencies in documentation and therefore lack
> >>>> of adoption, because in case of a mistake this might seriously
> >>>> impact the production environment.
> >>>>
> >>>> I think the adoption of DNSSEC is an issue we should care about
> >>>> because it has the potential to radically increase trust in the
> >>>> DNS system.
> >>>>
> >>>> Is this an issue you all recognize, and do you know how / if
> >>>> ICANN makes (or can make) this easier?
> >>>>
> >>>> Best,
> >>>>
> >>>> Niels
> >>>>
> >>>>
> >>>> -- Niels ten Oever Head of Digital
> >>>>
> >>>> Article 19 www.article19.org
> >>>>
> >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
> >>>> 68E9
> >>>>
> >>
> >> -- Niels ten Oever Head of Digital
> >>
> >> Article 19 www.article19.org
> >>
> >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
> >> 68E9
>
> --
> Niels ten Oever
> Head of Digital
>
> Article 19
> www.article19.org
>
> PGP fingerprint    8D9F C567 BEE4 A431 56C4
>                    678B 08B5 A0F2 636D 68E9
>