[dnssec-deployment] DNSSEC on NANOG
Ed.Lewis at neustar.biz
Wed Jun 14 14:19:49 EDT 2006
At 12:39 -0400 6/14/06, Thierry Moreau wrote:
>But, if DLV is being discussed at all, it's a sign that 1) DNSSEC awareness
>is expanding, and 2) some participants demonstrate an awareness of the DNS
>root signing criticalness ...
That's a very optimistic way to see the thread, and as was said 20
years ago in the USSR "it's not good for engineers to be optimistic."
(http://en.wikipedia.org/wiki/Chernobyl_accident) I don't mean to
equate DNSSEC with such a devastating disaster, but if we are
satisfied with some words being exchanged on a mailing list, we
aren't trying hard enough to deploy DNSSEC.
>TLD support, hopefully DNS root support, and support by major DNS
>technology players (e.g. significant e-commerce operators) should come first
>in the chicken-and-egg dilemma of DNSSEC deployment. Then, product managers
>of application software will look at DNSSEC seriously.
As much as I would like to set up a DNSSEC service at a TLD and say
"we're open for business", this again is overly optimistic. If a
gTLD implements DNSSEC and no registrar finds a market for it, the
implementation is a *complete* waste of someone's money. ("Someone"
being stockholders of the company, not DNSSEC zealots.) From Rick's
observation, I'd place the risk of there being no market at close to
1 (100%) at this point.
(Why solve a problem than doesn't exist?)
There are folks who said they'd love to play with DNSSEC. If you
really do, go to www.ar.com and show your support. Buy a name from
Rick (or transfer one there). No, Rick did not compensate me for the
endorsement and to be fair to other registrars - if anyone knows of
another registrar prepared to do DNSSEC, go to them. Not even the
"zealot" community has decided to play, no one is eating their own
>What about DKIM as the "killer app" for DNSSEC?
What about it? Have consumers for DKIM voted with shoe leather to
buy DNSSEC services?
>Then we need to make DNSSEC more effective in providing cryptographic
>assurance for data retrieved from the DNS global distributed database.
Shoot, if after a decade plus of "us" trying to do just that and
seeing where we are, either it is a case of a poor plan or poor
Edward Lewis +1-571-434-5468
Nothin' more exciting than going to the printer to watch the toner drain...
More information about the Dnssec-deployment