Swedish launch of DNSSEC; etc.
steve at shinkuro.com
Mon Feb 19 02:24:47 EST 2007
Please pardon the blind posting. I am sending this to multiple
groups at once. I want to share the good news broadly. My apologies
to those of you on more than one list; you may get multiple copies of
Last Friday I attended the formal, commercial launch of DNSSEC in
Sweden. IIS, the Swedish registry for .SE, had been running DNSSEC
for about a year but had controlled the process for registrants to
sign up for it. With the launch Friday, the door is now open for
registrants to sign up easily and quickly. nning.se signed up very
quickly to become the first paying DNSSEC customer.
Key people involved are Danny Aerts, Staffan Hagnell, Anne-Marie
Löwinder-Eklund and Malin Westerlund, all of IIS, and Anders Rafting
of PTS. (I will send a fuller description of their roles and other
people in a subsequent note.)
As part of their preparations for the launch, IIS put in a lot of
work behind the scenes. They arranged with their largest registrars
to accept requests for DNSSEC service from registrars, and they
modified their own system to make sure they could accept notice of keys.
Another very important part of the launch was their focus on ISPs.
They arranged for the largest ISPs to run DNSSEC-compliant resolvers,
thereby closing the loop so signatures are requested and checked.
More on this below.
They also worked with the largest bank, Svedbank, to commit to DNSSEC.
The launch itself was a half day symposium attended by registrars,
ISPs, banks, journalists and others. There were talks by IIS, PTS
(the Swedish government office which oversees the .SE registry), a
large registrar, a large ISP, and Svedbank. All except my talk was
During the Q&A period, I was pressed forcefully for information on
when the root will be signed. The Swedish ISP made the point that
they could keep up with a single key for .se, but they were not
prepared to handle lots of keys from different sources. Both the IIS
folks and I, quite independently, made the point that since the root
is quite small, the damage caused by not having it signed is
manageable. Almost all TLDs, on the other hand, are significantly
larger than the root, and thus the number of trust anchors underneath
a TLD is much, much larger than the number of trust anchors arising
from an unsigned root. That's a technically correct answer and was
the right posture to take in that forum, but it as clear to me there
will be increasing pressure on this point.
I also learned last week, quite to my surprise, that .SE (Bulgaria)
has signed its zone. Puerto Rico (.PR) is also running a signed
zone, and Brazil (.BR) and Mexico (.MX) are on the verge. The issue
of finding the keys for the multiple TLDs that are signed is now a
I also met last Thursday with the Swedish registry folks (IIS) in the
morning and with Swedish government people, primarily in the PTS, in
the afternoon. In the afternoon we discussed adoption of DNSSEC
throughout the government. This led to a discussion of how many
distinct zones there are inside the government. They don't know, and
this might trigger a survey. The guess is somewhere between 100 and
1,000 individually maintained zone. In both the discussion with the
government folks and in my talk on Friday I pushed the idea of
aggregating DNS look up service and tying the signing to the look up
operation, thereby relieving the zone editors from the costs and
hassles of deploying DNSSEC. This resonated with several people.
One question that came up in the morning at IIS is whether they
should permit their key to be included in the DLV. I countered with
the thought that they should make their key available as widely as
possible through as many channels as possible, and that it was more a
question of whether others, including ISC, want to include their
key. This theme continued during the Q&A sessions on Friday, and I
promised to set up a page on the dnssec-deployment.org web site to
hold the keys that have been created so far. One way or another,
there needs to be a distribution system.
The IIS folks are eager to show what they've done and are willing to
host a meeting in a few months for those who are interested. I also
plan to have an condensation of the launch presentations presented at
the ICANN meeting in Lisbon nexgt month.
P.S. IIS also awarded me shinkuro.se. I plan to get it in operation
and signed ASAP!
steve at shinkuro.com
Try Shinkuro's collaboration technology. Visit www.shinkuro.com. I
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment