On 28/05/12 20:55, Craig Whitmore wrote:
On 28/05/12 9:48 AM, "Sebastian Castro"
wrote: So far we are not aware of any active validating nameserver in NZ, or heard plans about it. We definitely can find out based on the nameservers data.
From the results from my website I can agree with this.. I've only seen 2 IP Addresses out of 150+ tests from ip addresses all over NZ actually have validating DNSSEC name servers.
There is absolutely no point enabling DNSSEC on people's domain's if no one actually checks for the results being valid.
It's a chicken-and-egg problem. 1. Why should I sign my domain if no one will be able to validate it? 2. Why should I enable a validating nameserver? It will cause more troubles, and no one will use it because there are few signed domains The short answer is to learn! In the same way you Craig have been exploring DNSSEC, and signing your domains, and likely running a validating nameserver on your workstation. In the last few months, every time we had a meeting with an ISP, we mentioned: "We are going to sign the second level domains, we are implementing DNSSEC, you should try to run your own validating nameserver, even for a small controlled population". If Comcast could do it, why not a smaller ISP in NZ?
From an end-user perspective, you can try dnssec-trigger, or the browser-specific plug-ins that validate answers (such as http://www.dnssec-validator.cz/)
I'm wondering at this point how much help could NZRS provide towards that objective. Do geeks in NZ need more reading material? More testing environments? More meetings? Cheers,
Craig Geek
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535