On 2008-12-18, at 18:12, DNS wrote:
Gaurab Raj Upadhaya wrote:
I'd say why not sign the geek.nz should probably be signed and results
presented at NZNOG.
Due to .nz policy requirements, a NSEC3 version of DNSSEC is required to sign the .nz zone. When a production version of BIND 9.6 (contains NSEC3) is released (early 2009?) a project to sign the .nz zones will commence.
Note also that production-ready NSD code has been shipping with NSEC3 for some time, and it has some quite high-voume users. There was an interop event held between various vendors (including ISC and NLNetLabs) an IETF or two ago to iron out some problems between implementations of NSEC3 in authority-only servers and resolvers, and I hear good work was done. So the code readiness is something that is seeing active work, sufficient at least for people like PIR to put a lot of effort into developing a plan to sign ORG with NSEC3. However! What's missing from this picture is validator deployment. Signing all the TLDs in the world and the root won't help secure the DNS if no resolver ever asks for a secure answer. Deploying validators is something that operators could be working on right now, without waiting for TLDs or 2LDs to be signed. There are several TLDs that have been signed for some time, and guidance for how to configure a validator with a handful of manually-maintained trust anchors, or ISC's DLV registry, or both is not hard to find. Really, cutting your teeth on a validator with an unsigned NZ zone (when the worst that can happen is that some customers have trouble resolving names under, say, SE due to a validator configuration problem) sounds like a much better plan than trying to get a validator working nicely with a signed NZ, with all your customers shouting at you that they can't reach asb.co.nz. If people are really interested in seeing DNSSEC deployed in NZ then there is more work to do than simply waiting for NZRS, and plenty to be getting on with right away. Joe