I spoke to soon. While the US government domains is signed, the actual web site is not in many cases. For example: www.dhs.gov<http://www.dhs.gov> is a cname entry www.dhs.gov.edgekey.net<http://www.dhs.gov.edgekey.net> which is unsigned. This is in turn a CNAME to another unsigned domain
www.dhs.gov.edgekey.net is a CNAME to e6485.dscb.akamaiedge.net From: perpass [mailto:[email protected]] On Behalf Of Trevor Freeman Sent: Monday, April 28, 2014 2:17 PM To: Noel David Torres Taño; [email protected] Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? Hi Noel, If DNNSEC is used in corporations, that may be an interesting data point but perpass is specify looking at the interne so it does not help much. I understand they could be some benefit to adding some other filter to the data but the number to try and try to add a better quality metric. But absent that, the number is what is it. Happy to have the discussion on how we would consider what to filter on and maybe Verisign could provide more attributes with the data for use to mine the information. I did some ad-hoc research and amongst the prominent internet services or financial institutions, the seems little evidence of DNSSEC. The only bright spot seemed to be government web sites, though here the deployment was still inconsistent in that government agencies have many web sites not part of the base domain and these were often not signed. Trevor -----Original Message----- From: perpass [mailto:[email protected]] On Behalf Of Noel David Torres Taño Sent: Monday, April 28, 2014 1:02 PM To: [email protected]<mailto:[email protected]> Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? El lun, 28-04-2014 a las 18:38 +0000, Trevor Freeman escribió: > We have a range of technologies in the toolkit to address issues > identified by perpass. > > > > One of the candidate technologies is DNSSEC. At a technology level it > has much to commend it. > > > > The vast majority of critical TLDs are signed, so another good point > in its favor. > > > > However when you look at the next tier down, the statistics point to a > problem. > > > > According to the Verisign labs scoreboard, 340K+ domains in the .com > namespace are secured by DNSSEC > > http://scoreboard.verisignlabs.com/ > > > > If you express that number as % that is about 0.4% and the growth > trend is about 0.1% per year > > http://scoreboard.verisignlabs.com/percent-trace.png > > > > The trend seems about 2 orders of magnitude below where we need to be > for DNSSEC to be viable in a realistic timescale. > > > > Am I misinterpreting the data? If not, then do we have consensus on > what is blocking deployment? > > > > Trevor > > > Which are the numbers for .org ? This one should have a little percentage of garbage, parked domains, etc. Moreover, it is kess used by corporations with large IT departments and more used by small organizations like Libre Software projects. And it is very important to trust the software you download. Regards Noel er Envite
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
