Swedish launch of DNSSEC; etc.

[Steve Crocker]

Folks,

Please pardon the blind posting.  I am sending this to multiple  
groups at once.  I want to share the good news broadly.  My apologies  
to those of you on more than one list; you may get multiple copies of  
this.

Last Friday I attended the formal, commercial launch of DNSSEC in  
Sweden.  IIS, the Swedish registry for .SE, had been running DNSSEC  
for about a year but had controlled the process for registrants to  
sign up for it.  With the launch Friday, the door is now open for  
registrants to sign up easily and quickly.  nning.se signed up very  
quickly to become the first paying DNSSEC customer.

Key people involved are Danny Aerts, Staffan Hagnell, Anne-Marie  
Löwinder-Eklund and Malin Westerlund, all of IIS, and Anders Rafting  
of PTS.  (I will send a fuller description of their roles and other  
people in a subsequent note.)

As part of their preparations for the launch, IIS put in a lot of  
work behind the scenes.  They arranged with their largest registrars  
to accept requests for DNSSEC service from registrars, and they  
modified their own system to make sure they could accept notice of keys.

Another very important part of the launch was their focus on ISPs.   
They arranged for the largest ISPs to run DNSSEC-compliant resolvers,  
thereby closing the loop so signatures are requested and checked.   
More on this below.

They also worked with the largest bank, Svedbank, to commit to DNSSEC.

The launch itself was a half day symposium attended by registrars,  
ISPs, banks, journalists and others.  There were talks by IIS, PTS  
(the Swedish government office which oversees the .SE registry), a  
large registrar, a large ISP, and Svedbank.  All  except my talk was  
in Swedish.

During the Q&A period, I was pressed forcefully for information on  
when the root will be signed.  The Swedish ISP made the point that  
they could keep up with a single key for .se, but they were not  
prepared to handle lots of keys from different sources.  Both the IIS  
folks and I, quite independently, made the point that since the root  
is quite small, the damage caused by not having it signed is  
manageable.  Almost all TLDs, on the other hand, are significantly  
larger than the root, and thus the number of trust anchors underneath  
a TLD is much, much larger than the number of trust anchors arising  
from an unsigned root.  That's a technically correct answer and was  
the right posture to take in that forum, but it as clear to me there  
will be increasing pressure on this point.

I also learned last week, quite to my surprise, that .SE (Bulgaria)  
has signed its zone.  Puerto Rico (.PR) is also running a signed  
zone, and Brazil (.BR) and Mexico (.MX) are on the verge.  The issue  
of finding the keys for the multiple TLDs that are signed is now a  
live issue.

I also met last Thursday with the Swedish registry folks (IIS) in the  
morning and with Swedish government people, primarily in the PTS, in  
the afternoon.  In the afternoon we discussed adoption of DNSSEC  
throughout the government.  This led to a discussion of how many  
distinct zones there are inside the government.  They don't know, and  
this might trigger a survey.   The guess is somewhere between 100 and  
1,000 individually maintained zone.  In both the discussion with the  
government folks and in my talk on Friday I pushed the idea of  
aggregating DNS look up service and tying the signing to the look up  
operation, thereby relieving the zone editors from the costs and  
hassles of deploying DNSSEC.  This resonated with several people.

One question that came up in the morning at IIS is whether they  
should permit their key to be included in the DLV.  I countered with  
the thought that they should make their key available as widely as  
possible through as many channels as possible, and that it was more a  
question of whether others, including ISC, want to include their  
key.  This theme continued during the Q&A sessions on Friday, and I  
promised to set up a page on the dnssec-deployment.org web site to  
hold the keys that have been created so far.  One way or another,  
there needs to be a distribution system.

The IIS folks are eager to show what they've done and are willing to  
host a meeting in a few months for those who are interested.  I also  
plan to have an condensation of the launch presentations presented at  
the ICANN meeting in Lisbon nexgt month.

Steve

P.S. IIS also awarded me shinkuro.se.  I plan to get it in operation  
and signed ASAP!

Steve Crocker
steve at shinkuro.com

Try Shinkuro's collaboration technology.  Visit www.shinkuro.com.  I  
am steve!shinkuro.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20070219/ed02c0f5/attachment.html