[EURO-Discuss] ALAC-WG on DNSSEC

JFC Morfin jefsey at jefsey.com
Sun Aug 31 19:59:34 EDT 2008 

At 01:04 01/09/2008, Lutz Donnerhacke wrote:
>On Sun, Aug 31, 2008 at 05:52:13PM +0200, Patrick Vande Walle wrote:
> > The root zone on ns.iana.org has indeed been signed. But as David Conrad
> > explained, it is a test, not meant for production.
>
>That's why I set up my own signed root. Please understand why the IANA
>signed root is not considered as production ready: They do construct errors
>in the zone to see how clients in the testbed react. It's easy for them to
>not break the zone for the two weeks of an ICANN meeting incl. the summit.
>So they are able to provide the necessary stability for the meeting.
>And I like to use their work.

So, you mean they actually are working actively on deploying DNSSEC 
without anyone being informed?
I understand now why brother Danny teases us in asking if this is not 
a too urgent matter for ALAC :-)

> > So, if it may be correct that VRSN and Nominet do not directly fund
> > NLNet Labs,
>
>Please do not spread such FUD. Either you know that they pay for or drop
>your suggesting wordings here.

I just read their own stuff and look at their welcome page. 
http://www.unbound.net/

 > DNSSEC suffers the same issue as IPv6 that prevents wide deployment.
>No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure,
>that DNSSEC is much much easier. You do not need to touch every device in
>the net. Only the DNS servers.

You need to touch _every_ resolver otherwise it does not make sense, 
except for merchants. We do not want they have an alibi to control us 
and charge us more. We want to be protected, including from them. The 
real daily danger for people's DNS are ISP name servers. Not a big 
one but a real one.

>I give them such a tool. They can pay for remote signing. But they should do
>it themself in the medium term. Those are their zones.

Is that in some beta form? Do you have a documentation? How much do 
you charge? How do the user consider this service: as something they 
prefer you do for them? that their ISP should eventually provide? 
etc. I do not think there is a DNSSEC business plan as such (as 
explained to Danny), but if there can be some business plans already 
for some services, this is a good news as it would certainly help 
(and hamper, because there would be in addition a young industry to 
deal with in case we want upgrades). These are certainly things 
important to know from you.
jfc

More information about the EURO-Discuss mailing list