[Dnssec-deployment] Comcast Begins DNSSEC Rollout

Mats.Dufberg at teliasonera.com Mats.Dufberg at teliasonera.com
Wed Oct 20 07:00:17 EDT 2010

> From: dnssec-deployment-bounces at dnssec-deployment.org 
> [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On 
> Behalf Of Doug Barton
> Sent: den 19 oktober 2010 18:44

> > TeliaSonera is the major ISP in Sweden and our DNS 
> > resolvers have been validating all customers' requests since 
> > June 2007. Until September this year we used the .SE key as 
> > trust anchor, now we use the root key as trust anchor. We 
> > have now and then received calls from customers complaining 
> > that some domain fails with us but not at some other place. 
> > We have used the .SE tool DNScheck 
> > (<http://dnscheck.iis.se/?setLanguage=en>) to show that the 
> > problem sits in the domain. The customers have accepted that 
> > we are not to blaim, and there has been no negative press due 
> > to the fact that we validate.
> >
> > If there is a major DNSsec failure in some TLD that has any 
> >importance in Sweden, I am sure that the press will point out 
> the cause of failed DNS resolution.
> That sounds like a very reasonable approach. Do you try to 
> educate the 
> users about DNSSEC at all? Obviously the depth of detail is not 
> desirable, but I could see where an approach like, "We use the most 
> sophisticated technology available which helps protect you 
> from going to a different site pretending to be your 
> {bank|podiatrist|etc.}" might be useful.

The number of signed domains is still low. Under .SE less than 1% of the domains are signed, and I think the same is true for all TLD's with the exception of .CZ (Czech Republic; 15%). Under .SE no banks have signed their domain, as far as I know. 

It is hard to claim to the customers that DNSsec gives any considerable protection today. We cannot risk that the customers think that everything is safe now. We are working with the future.

No, we have not tried to educate the users. We hope that they go back to the responsible of the DNS hosting and that they understand what is wrong.


Mats Dufberg
Senior System Expert DNS
TeliaSonera BBS Networks AP SP Internet
mats.dufberg at teliasonera.com

More information about the Dnssec-deployment mailing list