[dnssec-deployment] DNSSEC on NANOG

Edward Lewis Ed.Lewis at neustar.biz
Wed Jun 14 14:19:49 EDT 2006 

At 12:39 -0400 6/14/06, Thierry Moreau wrote:

>But, if DLV is being discussed at all, it's a sign that 1) DNSSEC awareness
>is expanding, and 2) some participants demonstrate an awareness of the DNS
>root signing criticalness ...

That's a very optimistic way to see the thread, and as was said 20 
years ago in the USSR "it's not good for engineers to be optimistic." 
(http://en.wikipedia.org/wiki/Chernobyl_accident)  I don't mean to 
equate DNSSEC with such a devastating disaster, but if we are 
satisfied with some words being exchanged on a mailing list, we 
aren't trying hard enough to deploy DNSSEC.

>TLD support, hopefully DNS root support, and support by major DNS
>technology players (e.g. significant e-commerce operators) should come first
>in the chicken-and-egg dilemma of DNSSEC deployment. Then, product managers
>of application software will look at DNSSEC seriously.

As much as I would like to set up a DNSSEC service at a TLD and say 
"we're open for business", this again is overly optimistic.  If a 
gTLD implements DNSSEC and no registrar finds a market for it, the 
implementation is a *complete* waste of someone's money.  ("Someone" 
being stockholders of the company, not DNSSEC zealots.)  From Rick's 
observation, I'd place the risk of there being no market at close to 
1 (100%) at this point.

(Why solve a problem than doesn't exist?)

There are folks who said they'd love to play with DNSSEC.  If you 
really do, go to www.ar.com and show your support.  Buy a name from 
Rick (or transfer one there).  No, Rick did not compensate me for the 
endorsement and to be fair to other registrars - if anyone knows of 
another registrar prepared to do DNSSEC, go to them.  Not even the 
"zealot" community has decided to play, no one is eating their own 
dog food.

>What about DKIM as the "killer app" for DNSSEC?

What about it?  Have consumers for DKIM voted with shoe leather to 
buy DNSSEC services?

>Then we need to make DNSSEC more effective in providing cryptographic
>assurance for data retrieved from the DNS global distributed database.

Shoot, if after a decade plus of "us" trying to do just that and 
seeing where we are, either it is a case of a poor plan or poor 
execution.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Nothin' more exciting than going to the printer to watch the toner drain...

More information about the Dnssec-deployment mailing list