[Dnssec-deployment] How to Motivate DNSSEC Deployment?

[Steingruebl, Andy]

> -----Original Message-----
> 
> >Livingood, Jason <Jason_Livingood at cable.comcast.com> wrote:
> >>
> >> Which leads me to the question of how to motivate domain owners
> >> (example.com) to create marketplace demand -- by signing their domains.
> >
> >Roll out applications that make use of DNSSEC, e.g. DANE.
> >
> >Tony.
> 
> Good suggestion. But have we yet articulated how to use DANE with enough
> of the right people / made it easy to do? It feels like very early days on that
> issue, so to speak. How could we help app developers and others to use
> DNSSEC and/or DANE?

Giant discussions on the DANE list about the last-mile problem.  Getting end-clients to do full DNSSEC checking, which is necessary for DANE, is a ahard problem.  Several folks including Adam Langley at Google, and Nicholas Weaver of ICSI (NetAlyzer) have been publishing good data about reachability to end-nodes of the DNSSEC responses.  So far the rates are low enough because of a multitude of factors, that DANE deployment isn't coming anytime soon as a full-fledged mechanism that browsers will rely on, and that could be put into hard-fail mode.  Not to mention of course the problem with the multiple paywalls users encounter and how DNSSEC won't transit them either.

Our justification for deployment and the earliest thinking about it was the NXDOMAIN spoofing that ISPs were doing for things like ww.paypal.com, which we really weren't happy about.    Marking all your cookies secure and implementing HSTS for your domain gets you some coverage, but DNSSEC is important as well.


- Andy