Patrick Vande Walle patrick at vande-walle.eu
Mon Sep 1 02:01:35 EDT 2008

Lutz Donnerhacke wrote:

>> While I am generally the first to bash VSRN, I must say that I am
>> forever thankful to them for this.
> Please stay away from your US centric view. Verisign did provide a testbed
> for NSEC3. That does not mean, that they are the sole inventor of everything.
BTW, Most of my wording came from the NLNet Labs press release.
There was some irony in my original sentence. Being sometimes considered
by the Americans as an EU undercover agent, I find it refreshing to be
called US centric.

Jokes aside, it is healthy to have another DNS resolver which does
not use the Bind code and is under active development. I do use Unbound
in production and as you may know, I have contributed some input for its
binary packaging in Linux distributions.

>> DNSSEC suffers the same issue as IPv6 that prevents wide deployment.

> No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure,
> that DNSSEC is much much easier. You do not need to touch every device in
> the net. Only the DNS servers.

> I give them such a tool. They can pay for remote signing. But they should do
> it themself in the medium term. Those are their zones.

Until such tool is included as a standard feature in mainstream OSes
and/or registrar web interfaces, I am afraid DNSSEC will not reach
critical mass.

This is where I think ALAC can help, it the sense it is well placed to
talk to registrars to get it included in their range of off-the-shelf
services. Ditto for IPv6 glue records.

Patrick Vande Walle
Check my blog: http://patrick.vande-walle.eu

More information about the EURO-Discuss mailing list