[Dnssec-deployment] Comcast Begins DNSSEC Rollout
steve at shinkuro.com
Wed Oct 20 09:40:49 EDT 2010
FWIW, within the DNSSEC Deployment Initiative, i.e. the project the Dept of Homeland Security is funding to foster deployment of DNSSEC, our explicit goal is 100% signed zones and 100% validation. We're not naive about the difficulties or how long it might take, but we see no reason to suggest there's a fundamental reason for some zones not to be signed or some lookups not to be checked. In principle, all zones should be signed and all queries should be checked, and, in our view, it's just a question of how long it takes to reach that point. The cost will continue to fall, and eventually it will be considered standard practice.
On Oct 20, 2010, at 8:38 AM, Joao Damas wrote:
> On 20 Oct 2010, at 09:00, <Mats.Dufberg at teliasonera.com> <Mats.Dufberg at teliasonera.com> wrote:
>> The number of signed domains is still low. Under .SE less than 1% of the domains are signed,
> sure 1% may seem low if you compare with 100%, but I do not believe all domains will need to make use of DNSSEC so it might be better to get an estimate of how many domains are likely to benefit from the use of DNSSEC (those who perceive using DNSSEC as a valuable thing for the domain) and compare against that.
> It is true that benefit also has the other side, called cost, and that if cost is brought down (e.g. by having someone else take care of keeping your signed domain refreshed) then more domains may make use of it. It would still have costs associated with the increased complexity, which always brings a bit of increased fragility, but more domain holders would be on the positive side of the benefit/cost line.
> Again, this is just a part of estimating the number of domains that may benefit from the use of DNSSEC so as to be able to get better estimates of relevant deployment
More information about the Dnssec-deployment