[Dnssec-deployment] How much is DNSSEC deployed?
patrik at frobbit.se
Mon Apr 25 03:44:20 EDT 2011
On 25 apr 2011, at 09.38, bert hubert wrote:
> I've always been told that Swedish banks all had DNSSEC enabled domains and
> that big Swedish resolvers did validation, possibly because of that.
> However, when I checked the biggest names of Swedish banks some months ago,
> none of them had DNSSEC turned on. I just tried www.riksbank.se, www.nb.se,
> www.sebank.se, www.sparbanken.se and www.handelsbanken.se with similar
I have not heard banks turn on DNSSEC, although I know they have talked about it.
.SE people on this list do know better.
> Do the big Swedish ISPs really do validation? And what kind?
They do validate every response, and throw away non-validating responses. I.e. end users do not get the response at all (and can not distinguish that error from a "misspelling").
As far as I understand and see, "it just works".
My position personally is pretty strong: end users do NOT need a "plan B" like the "click here to continue anyway" that we have for failed cert validation for SSL.
>> We have the list of DS in the root zone by IANA, but is there a good
>> reliable source for information on for example how many DS there is in
>> each TLD (absolute and relative numbers)?
> Only CZ is truly big I think. I heard rumours that this move was
> 'incentivised' by lower rates for DNSSEC secured domains.
Well, I also know that the .CZ people worked hard together with the large DNS Hosting companies and together they got things deployed early.
>> Another thing that was a problem in Sweden to start with was that we
>> charged extra for DNSSEC (i.e. registrar had to pay more to registry for
>> a signed domain than a non-signed). That is not the case anymore in
>> Sweden since many years, but some people do still believe it is an extra
> There IS an extra cost of course in terms of more maintenance work and more
> support calls. But this domain owner cost does not go to .SE of course.
My question was explicitly whether any registry charge extra for DNSSEC today?
Anyone know of any registry that charge registrars extra for DNSSEC?
>> Is DNSSEC for free in all TLDs now (whole sale price) or is there some
>> registry that charge extra? Does that have the impact we believe we saw
>> in Sweden or not?
> Or do some of them charge less?
More information about the Dnssec-deployment