[EURO-Discuss] ALAC-WG on DNSSEC

Lutz Donnerhacke lutz at thur.de
Mon Sep 1 05:03:52 EDT 2008 

On Mon, Sep 01, 2008 at 01:59:34AM +0200, JFC Morfin wrote:
> At 01:04 01/09/2008, Lutz Donnerhacke wrote:
> >Please understand why the IANA >signed root is not considered as
> >production ready: They do construct errors in the zone to see how
> >clients in the testbed react.
> 
> So, you mean they actually are working actively on deploying DNSSEC 
> without anyone being informed?

Why did you not inform yourself before blaming others?
http://ipv6.google.com/search?hl=de&q=ns.iana.org%2Fdnssec%2Fstatus.html

> I understand now why brother Danny teases us in asking if this is not
> a too urgent matter for ALAC :-)

DNSSEC is one of the current activities of ICANN and therefore a current
matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the
ALSes, and the users out there. Because AtLarge should guide the process,
the ALSes should think about this subject. That's why I like to have a track
on the summit.

> >Please do not spread such FUD. Either you know that they pay for or drop
> >your suggesting wordings here.
> 
> I just read their own stuff and look at their welcome page. 
> http://www.unbound.net/

: About Unbound
: ~~~~~~~~~~~~~
: Unbound is a validating, recursive, and caching DNS resolver. 
: 
: The C implementation of Unbound is developed and maintained by NLnet Labs.
: It is based on ideas and algorithms taken from a java prototype developed by
: Verisign labs, Nominet, Kirei and ep.net. 
: 
: Unbound is designed as a set of modular components, so that also DNSSEC
: (secure DNS) validation and stub-resolvers (that do not run as a server, but
: are linked into an application) are easily possible. 
: 
: The source code is under a BSD License. 
[cut download sources]
: Support
: ~~~~~~~
: Unbound is being maintained by NLnet Labs, a not for profit, public benefit
: foundation. Problems can be reported through the bugzilla webinterface. In
: the case we stop supporting the product we will announce such two years in
: advance. 

Of course. Unbound is sponsored by Verisign and the code was written by the
big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.

> >No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure,
> >that DNSSEC is much much easier. You do not need to touch every device in
> >the net. Only the DNS servers.
> 
> You need to touch _every_ resolver otherwise it does not make sense,
> except for merchants. We do not want they have an alibi to control us
> and charge us more. We want to be protected, including from them. The
> real daily danger for people's DNS are ISP name servers. Not a big
> one but a real one.

You only have to touch your last trustworthy DNS server for providing DNSSEC
validation. The clients are usually not involved. The application software
is usually not involved.

You only have to touch your authoritive DNS server for providing DNSSEC.

That's why the introduction of DNSSEC is much easier than any IPv6 rollout.

------------------------------------------------------------------------
I do not want to talk about my business here. I try to keep it separate.
So if you do not want to read about commericial issues, please stop reading.
------------------------------------------------------------------------


> >I give them such a tool. They can pay for remote signing. But they should do
> >it themself in the medium term. Those are their zones.
> 
> Is that in some beta form?

No, it's productive.

> Do you have a documentation?

Yes, but currently it's in German only.

> How much do you charge?

For DNSSEC remote signing between one and ten Euro per zone and month. This
covers the managment costs, which relate mostly with the customer accounts,
not the amount of zones to sign.

Futhermore there are extra QoS fees for exclusive ressouce allocation:
Maximum signing delay, life signing, ... Those costs are calculated to
pay the some what expensive special hardware. We do not offer overbooked
services.

> How do the user consider this service: as something they prefer you do for
> them? that their ISP should eventually provide?  etc.

This service is for companies, ISPs, and registrars who need to implement
DNSSEC now, but need time to adapt their infrastructure, train their admins
and hotline, and rewrite the tool chains. We offer them to buy time.

> I do not think there is a DNSSEC business plan as such (as 
> explained to Danny),

My explaination does contain some useful business cases even for the private
user.

> but if there can be some business plans already for some services, this is
> a good news as it would certainly help (and hamper, because there would be
> in addition a young industry to deal with in case we want upgrades). These
> are certainly things important to know from you.

I hope, I made my point clear enough without promoting commerical issues too
much. Do you have further questions?

More information about the EURO-Discuss mailing list