Re: [Dnssec-deployment] .KE still has no DS records
On 26 Jun 2015, at 2:04, Steven G. Huter wrote: On Thu, 25 Jun 2015, Toilem Godwin wrote: I would like to stress this, we preferred ensuring everything is correctly setup rather than rush into inserting our DS records only to have another breakage. Its better taking time to understand all the possibilities and cause of the breakage, mitigate or work around them before making a bold step of updating our DS records in root. Well-said, Toilem. Thank you for the prudent approach in your network operations and service to the Kenyan Internet community. I would like to explicitly follow Steve and others in supporting you in your careful deliberation of what happened, and carefully deploying mechanisms that are safe and stable, built upon the unfortunate experience you got. Best, Patrik Fältström signature.asc Description: OpenPGP digital signature
Re: [Dnssec-deployment] .KE still has no DS records
On 25/06/15 12:42, Dr Eberhard W Lisse wrote: Hi Eberhard, However, even though I am quite partial to clear language (which I most certainly have used if approached like this) and I do not want to incite a meta-discussion here, the original post reads counterproductive It is not that anyone is entitled to a report, or to see DS records in the root, or to a timeframe. One may not be entitled to a report, but KeNIC promised one, and didn't deliver it. The DS record is a different issue. If I have registered domains in .KE, and they're signed, then the secure delegation chain is broken, then I expect KeNIC to do something about it. At the very least, I expect them to tell me what they plan on doing. Regards, Anand
Re: [Dnssec-deployment] .KE still has no DS records
On Jun 25, 2015, at 07:42, Dr Eberhard W Lisse e...@lisse.na wrote: We need to encourage people to take this on, even under the less than ideal circumstances of the real world, and not frighten them off. Fully agree. KENIC are in good company having had visible problems with DNSSEC in the first place, and even better company for having been open about what the problems are and what they have learnt from them. This is the model for how ccTLDs should approach these kinds of situations and I think KENIC deserve a great deal of credit for how they are handling it. Joe
Re: [Dnssec-deployment] .KE still has no DS records
Anand Buddhdev (anandb) writes: But have you registered a domain under .KE ? I don't have any personal domains in .KE at the moment, but I was born and raised in Kenya, and still have family and friends there. I totally understand, I live in Nairobi myself :) They have .KE domains. My inability to communicate with them, and their inability to communicate with me, using .KE domains, makes this issue rather important to me. And to everyone who was affected as well, yes. Hm, as I can see, resolution works - I think it's probably better to have a functioning KE delegation, than a broken signed one. I don't see issues *currently* with validation breaking, since there is no DS. The report is a service to the community, not an obligation. Yes, the report is a nice-to-have, rather than essential. The DS record, on the other hand, is not optional. KeNIC gave us the candy, and have now taken it away again. I strongly disagree on this point. I understand the frustration, but to be honest, it's KE's prerogative to decide when and if they want to reitroduce a DS record. I've been to KENIC and they do good work over there, but I think it would be a disservice to the Kenyan community to hurry under pressure, submit a DS when they're not quite ready to do so, and experience another failure. That would certainly kill trust more than anything. The fact that the delegation is broken is certainly something registrars and customers here in Kenya can complain about, not us. I don't live in Kenya now, but why does that matter? I am affected by DNSSEC failure in .KE, and I can choose to voice an opinion about it. Absolutely, but saying it's not optional in a public forum is not super helpful to them. That's an opinion, too :) Cheers, Phil
