On 16/07/2010, at 2:22 PM, Sam Sargeant wrote:
On 16/07/2010, at 1:42 PM, Andy Linton wrote:
Following up on this and Jay's comments about when we'll do this for .nz. I'd observe that the process involved in getting ready and implementing this is non trivial.
The logistics of deploying and operating DNSSEC are certainly non-trivial. I'd also observe this hasn't just arrived out of the blue; we've all known the root was due to be signed for some time and there is no reason why planning can't have happened before now. While I'm sure that some work has been happening, I had hoped that we'd have a timeframe for implementation when the root was signed.
While you are correct in your observation, it would not be fair to draw an inference that registries have been sitting around waiting for this to happen, blithe to the consequences. The development of DNSSEC has not taken place in isolation from the registries, rather many of us have been a major contributors to the work and it would not have happened without that community effort. This effort has gone/is going into the following main areas: 1. Developing the protocol. DNSSEC has been around 15 years in the making but it only really started to gain traction around 2004 when registries intervened heavily to explain how the protocol at that point was unusable and proposed changes that would enable to be used (NSEC3 being the result). There are still important niche features being added to the protocol now as we learn from the operational practice (3 below). 2. Signing the root. While this is the responsibility of IANA the registries have played a significant part to. This has included considerable behind the scenes politics, lots of work in peer review of process and technology and then in the measurements and analysis of nameserver behaviour to understand how DNSSEC has/will change the DNS landscape. 3. Developing operational best practice and tools. We've known all along that it would have been a very poor look for us to have said "right, we've signed .nz now you can use and BTW there are no tools and no documented practice to use" so we are putting effort into the development of tools and policies. We want DNSSEC to be a success and that means making life as easy as possible for sysadmins to implement. The epicentre for that work is http://www.opendnssec.org/ 4. Developing local policy. As with all technology, the layer 9 considerations only truly come to the fore when people have used the technology for a while and got used to it. This is when we start to think really hard about such issues as what happens when a registrant moves between registrars where DNSSEC is now in play. This is not trivial and many of the TLDs that have implemented DNSSEC already have done so without these issues being fully resolved, fully expecting those to come out in the wash in the first year or so. We take a slightly different view and would like to have those issues thought through and new policy in place that protect the same principles as before and maintain the same balance between participants. If you want an indication of some (not all) of the questions that policy must address then see http://syd.icann.org/files/meetings/sydney2009/presentation-dnssec-workshop-... So that in a nutshell is why we are where we are. DNSSEC as a change is the most important thing to happen to the global DNS industry because it is system and so the risks of failure are also systemic, which is as high as it gets. We are moving carefully and cooperatively to get this right. kind regards Jay
There's a challenge here for this community to start thinking about the process of getting the domains we're responsible for ready for signing as well. We'll also need to educate and assist customers.
Couldn't agree more.
Sam.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840