> On May 11, 2016, at 11:58 PM, John Levine <[email protected]> wrote:
>
> It's more complicated than that. Google has said that they could turn
> on DNSSEC for their domains if they wanted, but there's still enough
> stuff that breaks other places that they won't.
>
> On my tiny system, I have about 300 zones, all signed, but I've only
> been able to install parent DS records for about half of them, my own
> and ones for which I'm the registrar reseller. A few are in TLDs that
> still don't do DNSSEC, gTLDs .aero and .travel, for example. The rest
> are registered by other people, and although the registries have
> delegated DNS to me, I have no practical way to tell them what DS
> records to use. There's some work in dnsop to try and fix that, see
> draft-dnsop-ogud-maintain-ds
Yep, there a lot of work remaining to be done. Of the ISO 2-letter
ccTLDs 109 have DNSSEC enabled and 138 don't. And the remaining TLDs
without DNSSEC are as you mention:
aero
int
mobi
pro
tel
travel
Plus 25 IDN forms of some of the ISO ccTLDs. The good news that the
6 TLDs above are not particularly popular.
Three key obstacles to universal availability are lack of support
at the 138 ISO + 25 IDN ccTLDs, that not all registrars support
publication of DS RRs, and a key rotation barrier when zone data
management (including DNSKEY management and zone signing) is
outsourced, but the registrar relationship remains with the domain
owner. We need a standard way for DNS service providers to update
DS RRs on an ongoing basis, after the customer uploads the initial
DS RRset to the registrar.
You're quite right that not all the pieces are yet in place to
address all the needs. Some groups of users cannot at present
be supported.
--
Viktor.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
