Trevor, Comments inline...
On Apr 29, 2014, at 6:54 PM, Trevor Freeman <[email protected]<mailto:[email protected]>> wrote: Yes I want to consider the DNS authentication of encryption keys as one scenario which has a dependency on DNSSEC so we quickly get full circle. Thanks for explaining where your focus is. There have been a number of people who have offered opinions in this area, and none so far have pointed to a technology issue as holding up deployment. Far from it, there seems to be advances in many area. This all seems goodness. Yes, for the most part the issues holding up DNSSEC deployment are NOT technology-related. That said, there *are* some remaining technology issues that do cause problems, most notably the key rollover issue being discussed in multiple drafts within DNSOP right now. Additionally, while we have come far in automation, there are still ways we could make the DNSSEC signing process even easier for smaller and less tech-savvy users. But overall the technology behind DNSSEC is very solid and is not the deployment challenge. It seems a little disturbing that it took a stick to get some level of DNSSEC deployment in the .gov domain. That model is hard to replicate elsewhere so I don’t see it as a general solution to deployment. Neither do I. And, as Scott Rose so rightly pointed out in a message earlier in this thread, a mandate often means that people will do exactly the bare minimum necessary to comply with the mandate... and nothing more. As a result we wind up with implementations that do not, in fact, deliver the full level of security and are not "complete" in the way that we would think want them to be. As you pointed out, there are a large number of content distribution networks hosting sites on behalf of organizations with signed domains, who have not signed their own domain thereby breaking the chain of trust to the web site dns record. We seem to be missing the carrot to get them to sign. What is the value proposition that would convince them to sign their domain? Customers asking them for it! That is the big missing piece that people at multiple CDN providers have said to either me or others I know. There *is* a certain level of complexity in what they do as a CDN that makes signing it all non-trivial. However, some CDNs *are* offering DNSSEC-signing to certain customers.... and if more customers were asking for it, I'm sure more CDNs would offer it. So we go back to needing to get the end customer aware of the value of DNSSEC - and then requesting it from their vendors. I note that there is a session at the forthcoming ICANN DNSSEC workshop on DNSSEC and the enterprise. What about small and mediums sized organizations who have typical lower security skill and smaller budgets? They are mostly migrating to cloud services of some form. Speaking as one of the members of the program committee for that upcoming ICANN DNSSEC Workshop in London, we'd love to have someone offer to speak on that topic. The call for participation can be found on multiple mailing lists or here: http://www.internetsociety.org/deploy360/blog/2014/04/call-for-participation-icann-50-dnssec-workshop-on-25-june-in-london/ Aside from inviting speakers, has the been any research done with organizations on why they are not adopting DNSSEC? Yes, a number of us have spoken with a good number of organizations about why. In most cases for the folks I've spoken with it comes down to a lack of understanding of what DNSSEC can do... and even when they do understand, the reality that they have 37 other higher IT priorities that they need to get implemented right now because they are very often operating in perpetual crisis mode and whatever has the highest priority gets implemented. Many people are finally getting around to IPv6 implementations because we are, in fact, finally running out of IPv4 addresses. There isn't the same urgency *yet* for DNSSEC for many people. This is why I and others have been talking up the value offered by DANE. It may also be fruitful to think about what are the next set of deployment goals in terms of what scenarios do we want to work. I would submit its time to move on from how many of the TLDS are signed onto tangible goals like what works. Do we want to look at a percentage of the email sent over the internet being DANE protected for example. Yes... and we are definitely working on those deployment goals. But this is where I think we really get out of the IETF territory of standards and get more into the operational side of things. Rather than discuss this here on the perpass list, I'd encourage you to join the https://elists.isoc.org/mailman/listinfo/dnssec-coord list and engage in this discussion there. (Unless others feel it should stay on this list... where I'm happy to discuss this, obviously... but I feel like we're going outside of areas that are in scope for the IETF.) My 2 cents, Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
