On Apr 28, 2014, at 2:32 PM, Trevor Freeman <[email protected]> wrote:
> I spoke to soon. While the US government domains is signed, the actual web > site is not in many cases. > For example: > www.dhs.gov is a cname entry www.dhs.gov.edgekey.net which is unsigned. > This is in turn a CNAME to another unsigned domain > > www.dhs.gov.edgekey.net is a CNAME to e6485.dscb.akamaiedge.net Dear Trevor, Yes, there are many such CNAME wildcards in use. A poor practice from many perspectives. Comcast has been helpful in vetting DNSSEC use. See http://dns.comcast.net. http://tools.ietf.org/html/draft-start-tls-over-dns-00 solves many deployment and privacy issues. DNSSEC should be considered a much needed work in progress. Regards, Douglas Otis > From: perpass [mailto:[email protected]] On Behalf Of Trevor Freeman > Sent: Monday, April 28, 2014 2:17 PM > To: Noel David Torres Taño; [email protected] > Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? > > Hi Noel, > > If DNNSEC is used in corporations, that may be an interesting data point but > perpass is specify looking at the interne so it does not help much. > > I understand they could be some benefit to adding some other filter to the > data but the number to try and try to add a better quality metric. But absent > that, the number is what is it. Happy to have the discussion on how we would > consider what to filter on and maybe Verisign could provide more attributes > with the data for use to mine the information. > > I did some ad-hoc research and amongst the prominent internet services or > financial institutions, the seems little evidence of DNSSEC. The only bright > spot seemed to be government web sites, though here the deployment was still > inconsistent in that government agencies have many web sites not part of the > base domain and these were often not signed. > > Trevor > > -----Original Message----- > From: perpass [mailto:[email protected]] On Behalf Of Noel David > Torres Taño > Sent: Monday, April 28, 2014 1:02 PM > To: [email protected] > Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? > > El lun, 28-04-2014 a las 18:38 +0000, Trevor Freeman escribió: > > We have a range of technologies in the toolkit to address issues > > identified by perpass. > > > > > > > > One of the candidate technologies is DNSSEC. At a technology level it > > has much to commend it. > > > > > > > > The vast majority of critical TLDs are signed, so another good point > > in its favor. > > > > > > > > However when you look at the next tier down, the statistics point to a > > problem. > > > > > > > > According to the Verisign labs scoreboard, 340K+ domains in the .com > > namespace are secured by DNSSEC > > > > http://scoreboard.verisignlabs.com/ > > > > > > > > If you express that number as % that is about 0.4% and the growth > > trend is about 0.1% per year > > > > http://scoreboard.verisignlabs.com/percent-trace.png > > > > > > > > The trend seems about 2 orders of magnitude below where we need to be > > for DNSSEC to be viable in a realistic timescale. > > > > > > > > Am I misinterpreting the data? If not, then do we have consensus on > > what is blocking deployment? > > > > > > > > Trevor > > > > > > > Which are the numbers for .org ? > > This one should have a little percentage of garbage, parked domains, etc. > Moreover, it is kess used by corporations with large IT departments and more > used by small organizations like Libre Software projects. > > And it is very important to trust the software you download. > > Regards > > Noel > er Envite > > _______________________________________________ > perpass mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
