Perhaps we can reach out to Michele and see where this is on their agenda? Shall I do so? Do other people share this concern? Cheers, Niels On 05/27/2016 02:38 PM, James Gannon wrote: > Agreed, so do I see you volunteering to lead this effort? =) > Happy to assist/help out where I can! > > -JG > > > > On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote: > >> Hi Rafik, >> >> The DNSSEC for Everybody is great and fun, but it's more a very rough >> 101. The DNSSEC workshop is also great, but it doesn't help you when you >> are behind a production terminal. Good documentation is needed. Or we >> need to find out better why adoption levels are so low. >> >> Is this something we can bring up? >> >> I think this is especially an issue for the NCSG because NGO's, >> activists and individual users will greatly benefit from increased >> trust, and more protection against DNS poisoining. With the enormous >> success of Let's Encrypt (1 milltion certs distributed, covering >2.5 >> million domains) DNSSEC is the next logical step, and adoption is still >> _very_ low. >> >> Cheers, >> >> Niels >> >> >> On 05/27/2016 01:34 PM, Rafik Dammak wrote: >>> Hi Niels, >>> >>> ICANN organizes regularly for many years now in each ICANN meeting 2 >>> DNSSec sessions related: >>> >>> * DNSSEC Workshop >>> * DNSSEC for Everybody: A Beginner's Guide >>> >>> there are also also DNSSec session during conferences like African >>> Internet Summit (https://internetsummitafrica.org/programme/agenda), >>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or ICANN DNS forum >>> . my understanding is that ICANN tech team helped some ccTLD >>> operators http://dnssec-africa.org/ >>> >>> I don't think there are specific activities toward registrars per se. >>> >>> Best, >>> >>> Rafik >>> >>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask] >>> <mailto:[log in to unmask]>>: >>> >>> Hi James, >>> >>> On 05/26/2016 12:12 PM, James Gannon wrote: >>> > No sorry what are the specific issues, i.e. In understanding the KSK >>> > and ZSK keys, in documentation etc? Do DNS engineers at hosting >>> > companies really not understand it? >>> > >>> > Because there is a large amount of documentation out there for >>> > example on configuring DNSSEC in Bind and while yes deploying at >>> > scale is a risk that registrars would need to analysise and take an >>> > internal risk position on Im not sure I understand the ‘even the most >>> > experienced engineers don’t understand it’ part of the question. >>> > >>> > The rest I do for sure, adoption of DNSSEC is a big topic, but there >>> > is huge amount son work going on in both ICANN and ISOC supporting >>> > registrars who wish to move down that path in a stable and secure >>> > path. ISOC has documentation specifically targeting at registrars >>> > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ >>> > I know the RrSG has done some work for ones that are involved in >>> > that, there is also Deplay360 from ISOC >>> > http://www.internetsociety.org/deploy360/dnssec/ and a lot of >>> > community support behind it from a technical perspective for those >>> > interested. >>> > >>> >>> Have been clicking through the ISOC site, but I cannot find a proper >>> how-to or documentation for an indepdendent registrar anywhere. >>> >>> I think we should push harder for DNSSEC adoption, and ICANN can and >>> should play a role in this imho, why would it be more of an ISOC task >>> than a ICANN task? >>> >>> >>> > My question would be what is the thing that needs to be done to >>> > promote adoption, and from what I have seen so far its usually risk >>> > aversion on the business side, and that’s not something that we can >>> > do much about from the ICANN side of things, something I feel ISOC >>> > should focus on more tho. >>> >>> Business aversion is also because it's hard, and thus will cost more >>> time. Also: more risk because it might break. This does not balance well >>> with the increased trust gained with DNSSEC. We can help tip this scale >>> by making implementation easier through good documentation, no? Looks >>> like an ICANN task par excellence to me! >>> >>> Cheers, >>> >>> Niels >>> >>> >>> > >>> > -J >>> > >>> > >>> > >>> > >>> > On 26/05/2016, 11:03, "Niels ten Oever" >>> <[log in to unmask] <mailto:[log in to unmask]>> >>> > wrote: >>> > >>> >> Do you mean you would like to hear names of registrars that are >>> >> not offering DNSSEC ? Am afraid it is the majority of the SME >>> >> registrars / hosting providers. >>> >> >>> >> Cheers, >>> >> >>> >> Niels >>> >> >>> >> On 05/26/2016 11:57 AM, James Gannon wrote: >>> >>> Have you got any specific examples? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever" >>> >>> <[log in to unmask] >>> <mailto:[log in to unmask]> on behalf of >>> >>> [log in to unmask] >>> <mailto:[log in to unmask]>> wrote: >>> >>> >>> >>>> Hi all, >>> >>>> >>> >>>> I have been talking to several registrars (especially smaller >>> >>>> ones that provide a lot of support to NGOs), that do not >>> >>>> provide DNSSEC yet as part of their service. >>> >>>> >>> >>>> The story that I keep on hearing is that even the most >>> >>>> experienced engineers have issues with understanding the >>> >>>> configuration of the KSK and Zone signing keys and the key >>> >>>> rollover, inconsistencies in documentation and therefore lack >>> >>>> of adoption, because in case of a mistake this might seriously >>> >>>> impact the production environment. >>> >>>> >>> >>>> I think the adoption of DNSSEC is an issue we should care about >>> >>>> because it has the potential to radically increase trust in the >>> >>>> DNS system. >>> >>>> >>> >>>> Is this an issue you all recognize, and do you know how / if >>> >>>> ICANN makes (or can make) this easier? >>> >>>> >>> >>>> Best, >>> >>>> >>> >>>> Niels >>> >>>> >>> >>>> >>> >>>> -- Niels ten Oever Head of Digital >>> >>>> >>> >>>> Article 19 www.article19.org <http://www.article19.org> >>> >>>> >>> >>>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >>> >>>> 68E9 >>> >>>> >>> >> >>> >> -- Niels ten Oever Head of Digital >>> >> >>> >> Article 19 www.article19.org <http://www.article19.org> >>> >> >>> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D >>> >> 68E9 >>> >>> -- >>> Niels ten Oever >>> Head of Digital >>> >>> Article 19 >>> www.article19.org <http://www.article19.org> >>> >>> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >>> 678B 08B5 A0F2 636D 68E9 >>> >>> >> >> -- >> Niels ten Oever >> Head of Digital >> >> Article 19 >> www.article19.org >> >> PGP fingerprint 8D9F C567 BEE4 A431 56C4 >> 678B 08B5 A0F2 636D 68E9 -- Niels ten Oever Head of Digital Article 19 www.article19.org PGP fingerprint 8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D 68E9