Re: DNSSEC, was Re: TLS client logging PATCH

Tue, 25 Feb 2014 05:23:26 -0800 

On 2/24/2014 3:52 PM, /dev/rob0 <r...@gmx.co.uk> wrote:

On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote:

On Sun, 23 Feb 2014, Viktor Dukhovni wrote:

If you want scalable security for SMTP, become an early adopter
of DANE TLS, available in Postfix 2.11.  Today, you'll be able
to opportunistically authenticate the handful of DNSSEC signed
domains that publish TLSA records for SMTP.  Over time, I hope
that handful will grow to a decent fraction of SMTP sites.

Oh yes - DNSSEC. When will it come? In hundred years?

Dirk, do you mind explaining this? Are you having trouble finding
DNSSEC-enabled DNS hosting?


Well, here is what mine (DNSMadeEasy) says on the subject:


After seeing others in the Managed DNS space fail to properly maintain 
these processes for customers and the headaches (and nightmares) that 
come from not properly implementing these processes, we have been very 
careful in approaching this difficult task. 


and


DNS Made Easy is monitoring the DNSSEC RFCs and their progress on the 
standards track. We will not consider implementing DNSSEC until NSEC3 
becomes widely implemented as NSEC allows domain enumeration (which we 
are firmly against). The root (.) domain is not signed and will not be 
signed for some time (if ever). There are currently some very real 
issues with DNSSEC key authentication, distribution, management, and 
revocation. DNS Made Easy will continue to evaluate DNSSEC 
implementation as these issues with the RFCs are resolved.



Until the issues with DNS sec are resolved we will not consider 
implementing it with our primary service. I don't see this happening 
for a few years. 



Curious what others (especially Victor) think of this response. Why are 
they 'firmly against' NSEC's 'enumeration of domains' feature, and the 
comment about 'very real issues...'...



Anyone have any recommendations for decent DNS Service Providers that 
don't cost an arm and another arm (DNSMadeEasy is really inexpensive, 
and their service has been awesome for the 3+ years we've been using 
them), and that are known to 'do DNSSEC' right?


--

Best regards,

Charles

























					Reply via email to