[EURO-Discuss] ALAC-WG on DNSSEC
Lutz Donnerhacke
lutz at thur.de
Sun Aug 31 19:04:28 EDT 2008
On Sun, Aug 31, 2008 at 05:52:13PM +0200, Patrick Vande Walle wrote:
> Lutz Donnerhacke wrote:
> >> Where can we get and test it?
> >
> > Simply do it. Documentation can be found on my companies website. Please
> > search yourself. I'll not promote it.
>
> Signing the root zone on your own does not add any value to the process.
You looked for a way to try it out and test it. If you do not like my offer,
please do sign you own root. But do not talk about trustworthiness. You do
not need to implement it in production enviroments, like I do. You can
simply test without trusting me.
> > That's FUD, too. The root zone is signed by IANA. I'll see this version
> > procutive on the meeting in Cairo. That's all.
>
> The root zone on ns.iana.org has indeed been signed. But as David Conrad
> explained, it is a test, not meant for production.
That's why I set up my own signed root. Please understand why the IANA
signed root is not considered as production ready: They do construct errors
in the zone to see how clients in the testbed react. It's easy for them to
not break the zone for the two weeks of an ICANN meeting incl. the summit.
So they are able to provide the necessary stability for the meeting.
And I like to use their work.
> > That's FUD. NLNetlab is not sponsored by Nominet nor Verisign.
> > NLNetlab produces the leading DNSSEC software and testbeds.
>
> Unbound was developed based on Java prototype sponsored by Verisign,
> Nominet and others. NLNet Labs did the C implementation.
It's a rewrite from scratch.
> So, if it may be correct that VRSN and Nominet do not directly fund
> NLNet Labs,
Please do not spread such FUD. Either you know that they pay for or drop
your suggesting wordings here.
> at least they suggested to develop and alternative to Bind.
Do your really claim, that suggesting a thing does include to sponsor the
implementor? I can't believe it.
> While I am generally the first to bash VSRN, I must say that I am
> forever thankful to them for this.
Please stay away from your US centric view. Verisign did provide a testbed
for NSEC3. That does not mean, that they are the sole inventor of everything.
> DNSSEC suffers the same issue as IPv6 that prevents wide deployment.
No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure,
that DNSSEC is much much easier. You do not need to touch every device in
the net. Only the DNS servers.
> We
> cannot just assume that the overworked sysadmin in your average SME is
> ready to go through hundreds of pages of technical documents. Give him a
> simple GUI in Windows/Linux/Solaris/whatever. Key generation, rollover,
> etc is just something the user should not have to worry about. A single
> checkbox should be enough.
I give them such a tool. They can pay for remote signing. But they should do
it themself in the medium term. Those are their zones.
More information about the EURO-Discuss
mailing list