On 06/15/2011 11:44 AM, Craig Whitmore wrote:
I guess the next question what are .nz registrar's/ISPs going to do regarding DNSSEC.
An earlier posting in this thread, by me, got no feedback so I will raise the issue again. The technology is only one part of the equation. What, if anything, is going to be required by DNS Operators ( who may or may not be Registrars ) with respect to processes and procedures associated with signing, key management, auditing etc.
As I work for a Registrar/ISP I have spent the last week working out a prototype on a couple of name servers running DNSSEC, signing, rolling, sending to the .nz registery etc etc and "it works" but there is a lot of planning and automation that has been done before it can go anywhere near production.
My first experiment with this a few months ago was less than successful, I am using BIND9 and turning on some of the DNSSEC features resulted in some zones no longer being accessible. Why ? No idea. Did I do everything right ? I thought so but based on the result, probably not.
Lots of other questions but if any other Registrar's/ISP want to discuss regarding what they are going I will listen.
I too would value any ideas, experiences, how-to and how-not-to's that others have got. Hopefully getting the DNSSEC infrastructure at the Regsitrar/DNS Operator level can become almost cook-book. As Joe has pointed out, without validation, signing zones is a bit pointless. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 27 542 4015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."