It is certainly an issue ICANN cares about. The tech day workshops always have lots of sessions about DNSSEC implementation etc (at least, when I had time to go to them they did). 
But they’ve been plugging away at it for ages, and it still isn’t happening, so it may be worth doing some work on it. 

I don’t think there is much we can really do at the policy level, and it may not really be an NCSG thing as such (in that the solution may not be within ICANN), but I’m certainly interested in looking at it from an NGO perspective. Lets Encrypt is a great example of how difficult things can be made much easier. A similar effort to make DNSSEC easy would be an excellent thing.

But data gathering is the place to start. 

David


On 28 May 2016, at 3:41 AM, James Gannon <[log in to unmask]> wrote:

I think at the moment we are just talking about doing some information gathering rather than organising training sessions.
Just trying to manage expectations lets see what we can do and whats needed before running down the road.

-jg

From: NCSG-Discuss <[log in to unmask]> on behalf of Grace Githaiga <[log in to unmask]>
Reply-To: Grace Githaiga <[log in to unmask]>
Date: Friday 27 May 2016 at 20:38
To: "[log in to unmask]" <[log in to unmask]>
Subject: Re: DNSSEC key rollover issues

Patrick is a good resource. I support that he be invited.

Date: Fri, 27 May 2016 15:05:08 +0200
From: [log in to unmask]
Subject: Re: DNSSEC key rollover issues
To: [log in to unmask]

We can invite Patrik Falstrom and have a training session. 

On 27 May 2016 at 14:56, James Gannon <[log in to unmask]> wrote:
I like that idea. Lets try and gather some info before Helsinki and see if this is something we need to put time into and where our time is best spent.

-jg




On 27/05/2016, 13:55, "Niels ten Oever" <[log in to unmask]> wrote:

>Perhaps we can reach out to Michele and see where this is on their
>agenda? Shall I do so? Do other people share this concern?
>
>Cheers,
>
>Niels
>
>On 05/27/2016 02:38 PM, James Gannon wrote:
>> Agreed, so do I see you volunteering to lead this effort? =)
>> Happy to assist/help out where I can!
>>
>> -JG
>>
>>
>>
>> On 27/05/2016, 12:46, "NCSG-Discuss on behalf of Niels ten Oever" <[log in to unmask] on behalf of [log in to unmask]> wrote:
>>
>>> Hi Rafik,
>>>
>>> The DNSSEC for Everybody is great and fun, but it's more a very rough
>>> 101. The DNSSEC workshop is also great, but it doesn't help you when you
>>> are behind a production terminal. Good documentation is needed. Or we
>>> need to find out better why adoption levels are so low.
>>>
>>> Is this something we can bring up?
>>>
>>> I think this is especially an issue for the NCSG because NGO's,
>>> activists and individual users will greatly benefit from increased
>>> trust, and more protection against DNS poisoining. With the enormous
>>> success of Let's Encrypt (1 milltion certs distributed, covering >2.5
>>> million domains) DNSSEC is the next logical step, and adoption is still
>>> _very_ low.
>>>
>>> Cheers,
>>>
>>> Niels
>>>
>>>
>>> On 05/27/2016 01:34 PM, Rafik Dammak wrote:
>>>> Hi Niels,
>>>>
>>>> ICANN organizes regularly for many years now in each ICANN meeting 2
>>>> DNSSec sessions related:
>>>>
>>>>   * DNSSEC Workshop
>>>>   * DNSSEC for Everybody: A Beginner's Guide
>>>>
>>>> there are also also DNSSec session during conferences like African
>>>> Internet Summit (https://internetsummitafrica.org/programme/agenda),
>>>> https://nsrc.org/workshops/2013/nsrc-ati-tn-dnssec/ or  ICANN DNS forum
>>>> . my understanding is that ICANN tech team helped some ccTLD
>>>> operators http://dnssec-africa.org/
>>>>
>>>> I don't think there are specific activities toward registrars per se.
>>>>
>>>> Best,
>>>>
>>>> Rafik
>>>>
>>>> 2016-05-27 20:21 GMT+09:00 Niels ten Oever <[log in to unmask]
>>>> <mailto:[log in to unmask]>>:
>>>>
>>>>     Hi James,
>>>>
>>>>     On 05/26/2016 12:12 PM, James Gannon wrote:
>>>>     > No sorry what are the specific issues, i.e. In understanding the KSK
>>>>     > and ZSK keys, in documentation etc? Do DNS engineers at hosting
>>>>     > companies really not understand it?
>>>>     >
>>>>     > Because there is a large amount of documentation out there for
>>>>     > example on configuring DNSSEC in Bind and while yes deploying at
>>>>     > scale is a risk that registrars would need to analysise and take an
>>>>     > internal risk position on Im not sure I understand the ‘even the most
>>>>     > experienced engineers don’t understand it’ part of the question.
>>>>     >
>>>>     > The rest I do for sure, adoption of DNSSEC is a big topic, but there
>>>>     > is huge amount son work going on in both ICANN and ISOC supporting
>>>>     > registrars who wish to move down that path in a stable and secure
>>>>     > path. ISOC has documentation specifically targeting at registrars
>>>>     > http://www.internetsociety.org/deploy360/resources/dnssec-registrars/
>>>>     > I know the RrSG has done some work for ones that are involved in
>>>>     > that, there is also Deplay360 from ISOC
>>>>     > http://www.internetsociety.org/deploy360/dnssec/ and a lot of
>>>>     > community support behind it from a technical perspective for those
>>>>     > interested.
>>>>     >
>>>>
>>>>     Have been clicking through the ISOC site, but I cannot find a proper
>>>>     how-to or documentation for an indepdendent registrar anywhere.
>>>>
>>>>     I think we should push harder for DNSSEC adoption, and ICANN can and
>>>>     should play a role in this imho, why would it be more of an ISOC task
>>>>     than a ICANN task?
>>>>
>>>>
>>>>     > My question would be what is the thing that needs to be done to
>>>>     > promote adoption, and from what I have seen so far its usually risk
>>>>     > aversion on the business side, and that’s not something that we can
>>>>     > do much about from the ICANN side of things, something I feel ISOC
>>>>     > should focus on more tho.
>>>>
>>>>     Business aversion is also because it's hard, and thus will cost more
>>>>     time. Also: more risk because it might break. This does not balance well
>>>>     with the increased trust gained with DNSSEC. We can help tip this scale
>>>>     by making implementation easier through good documentation, no? Looks
>>>>     like an ICANN task par excellence to me!
>>>>
>>>>     Cheers,
>>>>
>>>>     Niels
>>>>
>>>>
>>>>     >
>>>>     > -J
>>>>     >
>>>>     >
>>>>     >
>>>>     >
>>>>     > On 26/05/2016, 11:03, "Niels ten Oever"
>>>>     <[log in to unmask] <mailto:[log in to unmask]>>
>>>>     > wrote:
>>>>     >
>>>>     >> Do you mean you would like to hear names of registrars that are
>>>>     >> not offering DNSSEC ? Am afraid it is the majority of the SME
>>>>     >> registrars / hosting providers.
>>>>     >>
>>>>     >> Cheers,
>>>>     >>
>>>>     >> Niels
>>>>     >>
>>>>     >> On 05/26/2016 11:57 AM, James Gannon wrote:
>>>>     >>> Have you got any specific examples?
>>>>     >>>
>>>>     >>>
>>>>     >>>
>>>>     >>>
>>>>     >>> On 26/05/2016, 10:50, "NCSG-Discuss on behalf of Niels ten Oever"
>>>>     >>> <[log in to unmask]
>>>>     <mailto:[log in to unmask]> on behalf of
>>>>     >>> [log in to unmask]
>>>>     <mailto:[log in to unmask]>> wrote:
>>>>     >>>
>>>>     >>>> Hi all,
>>>>     >>>>
>>>>     >>>> I have been talking to several registrars (especially smaller
>>>>     >>>> ones that provide a lot of support to NGOs), that do not
>>>>     >>>> provide DNSSEC yet as part of their service.
>>>>     >>>>
>>>>     >>>> The story that I keep on hearing is that even the most
>>>>     >>>> experienced engineers have issues with understanding the
>>>>     >>>> configuration of the KSK and Zone signing keys and the key
>>>>     >>>> rollover, inconsistencies in documentation and therefore lack
>>>>     >>>> of adoption, because in case of a mistake this might seriously
>>>>     >>>> impact the production environment.
>>>>     >>>>
>>>>     >>>> I think the adoption of DNSSEC is an issue we should care about
>>>>     >>>> because it has the potential to radically increase trust in the
>>>>     >>>> DNS system.
>>>>     >>>>
>>>>     >>>> Is this an issue you all recognize, and do you know how / if
>>>>     >>>> ICANN makes (or can make) this easier?
>>>>     >>>>
>>>>     >>>> Best,
>>>>     >>>>
>>>>     >>>> Niels
>>>>     >>>>
>>>>     >>>>
>>>>     >>>> -- Niels ten Oever Head of Digital
>>>>     >>>>
>>>>     >>>> Article 19 www.article19.org <http://www.article19.org>
>>>>     >>>>
>>>>     >>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>>>     >>>> 68E9
>>>>     >>>>
>>>>     >>
>>>>     >> -- Niels ten Oever Head of Digital
>>>>     >>
>>>>     >> Article 19 www.article19.org <http://www.article19.org>
>>>>     >>
>>>>     >> PGP fingerprint    8D9F C567 BEE4 A431 56C4 678B 08B5 A0F2 636D
>>>>     >> 68E9
>>>>
>>>>     --
>>>>     Niels ten Oever
>>>>     Head of Digital
>>>>
>>>>     Article 19
>>>>     www.article19.org <http://www.article19.org>
>>>>
>>>>     PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>>>                        678B 08B5 A0F2 636D 68E9
>>>>
>>>>
>>>
>>> --
>>> Niels ten Oever
>>> Head of Digital
>>>
>>> Article 19
>>> www.article19.org
>>>
>>> PGP fingerprint    8D9F C567 BEE4 A431 56C4
>>>                   678B 08B5 A0F2 636D 68E9
>
>--
>Niels ten Oever
>Head of Digital
>
>Article 19
>www.article19.org
>
>PGP fingerprint    8D9F C567 BEE4 A431 56C4
>                   678B 08B5 A0F2 636D 68E9



-- 
Farzaneh