>My view for DNSSEC: > >Will be deployed in the same speed as new DNS software will include DNSSEC by >default and it will be turned on by default. >Further, as the validation is done by the ISP, the end user is not involved.
I see it as a lot like IPv6 -- the fans claim it's great, just do it, while in the real world the tools are somewhere between half-hearted and unsuable and the benefits vague. As a concrete datapoint, I have about 250 signed zones on my DNS server. Half are usable with a DS record in the parent, all zones that I have registered for myself or as a registrar reseller. I've been able to install the ones I have because Tucows has a proprietary but documented reseller API that lets me do it automatically, not one at a time. I did one elsewhere (sp.am) by hand, just to see if it was possible. The other half are not usable with DNSSEC because there is no way for me to install the DS -- I'm running the DNS for domains other people have registered at other registrars, so those registrars won't talk to me. In theory I could walk my users through their various registrars' DNSSEC hoops; in reality life is too short. You might hope that after more than a decade we'd have gotten around to addressing basic configuration problems, but no. R's, John _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
