-----Original Message----- From: Andy Linton [mailto:asjl(a)citylink.co.nz] Sent: Wednesday, 29 September 2004 3:28 p.m. To: 'NZ NOG' Subject: Re: [nznog] ns1,2,3,5.dns.net.nz hot being helpful
Joe Abley wrote:
(And to all the people who sent me private mail saying "but what about geek.nz? That's going to be signed, because that's what it was created for." Yeah, that's what I thought too. Apparently not.)
I'm pretty sure I recall discussions with the DNC about the setting up of 'geek.nz' where we asked about getting the zone signed and agreed to wait until the whole of .nz would be signed. The discussion went along the lines 'you want DNSSEC signing of the new 'geek.nz' zone? that's a good idea. why don't we do it for all of NZ'
Yep that was exactly that. In fact I facilitated the meeting to recommend this as policy, and got both INZ and NZRS to sign off on implementing DNSSEC. However the issue of DNSSEC allowing the zone file to be revealed only became apparent at a later stage. This meant that implementing DNSSEC would breach existing .nz policy. This has caused large number of ccTLDs to state they can not implement DNSSEC unless it is modified. To find out how best to resolve this issue, a technical staffer was sent to the last ICANN meeting to get the latest updates from .nl, Steve Crocker, other ccTLDs about what is probably and possible. The hope is that as DNSSEC specs had not been signed off, they could be modified to prevent the publication of the zone. As I said many ccTLDs said they would absolutely adopt DNSSEC if this issue could be addressed. The position of .nz is to wait and see the final shape of DNSSEC, and delay implementation until this is known.
Now there appear to be doubts from the managers of the nz tld about signing the whole zone - I don't agree with them but if that's their stance, can we have signing of geek.nz back on the agenda please.
The problem with this is that geek.nz is unmoderated and that is very different to a moderated domain. A moderator does effectively speak for their 2LD registrants. Who speaks for all 500 geek.nz registrants? Also there could be a significant resistance from registrars to support DNSSEC, if it only available on 0.3% of .nz domains. And unless there are Registrars willing to test and implement it, then the Registry can't do much. .nz agreed to implement DNSSEC and IPv6 glue to .nz, as requested by various people last year. It has introduced TSIG for the name servers, it will soon have Ipv6 glue working and it did agree to implement DNSSEC and had an implementation schedule drawn up for this. However the zone walking issue is not a trivial one, and has put a major spanner in the works. If a solution or workaround to it eventuates, then the original planned implementation can happen. In the short-term I think we just have to wait and see what eventuates. DPF