Re: [nznog] The root is now signed! - NZNOG - lists.nznog.org

newer
Re: [nznog] Pacific Fibre...

Re: [nznog] The root is now signed!

older
SPF Mail rejection

Anton Smith

27 Jul 2010 27 Jul '10

8:02 p.m.

On 28 July 2010 02:00, wrote:

Re: [nznog] The root is now signed!

Hi all, What, if any, impact is there or will there be on zones that are not signed/dnssec compliant? What is the timeline for cutoff (if any), i.e. will there come a time when any system not compliant will simply be "cut off"? Regards, Anton

Attachments:

attachment.htm (text/html — 708 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

Sebastian Castro

27 Jul 27 Jul

9:42 p.m.

New subject: The root is now signed!

Anton Smith wrote:

On 28 July 2010 02:00, mailto:nznog-request(a)list.waikato.ac.nz> wrote:

Re: [nznog] The root is now signed!

Hi all,

Hi,

What, if any, impact is there or will there be on zones that are not signed/dnssec compliant?

What is the timeline for cutoff (if any), i.e. will there come a time when any system not compliant will simply be "cut off"?

The protocol was designed for smooth interaction between signed and non-signed zones. The perception I get from the protocol engineers is there is going to be a mixed world. In the near future applications will appear to take advantage of the signed zones (authenticity/integrity), but some will no see advantage and keep it as currently is. Any change to the DNS protocol is particularly careful about backwards compability, unless DNS-NG change things (I heard that term today). cheers,

Regards, Anton

------------------------------------------------------------------------

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535

Reply

Sign in to reply online Use email software

Jay Daley

28 Jul 28 Jul

4:33 a.m.

New subject: The root is now signed!

To add to Sebastian's response ... On 29/07/2010, at 1:02 AM, Anton Smith wrote:

What, if any, impact is there or will there be on zones that are not signed/dnssec compliant?

What is the timeline for cutoff (if any), i.e. will there come a time when any system not compliant will simply be "cut off"?

We know that desktop operating systems will soon be capable of local DNSSEC validation and so there will have to be local configuration options available along the lines of: 1. don't use DNSSEC 2. use DNSSEC where it is available 3. only use DNSSEC I imagine that most sysadmins will configure the desktops within their control to option 2 for the foreseeable future. It may turn out in many years, says 5 to 10, that the general setting is option 3, but there is always the possibility that a significant proportion of domains do not sign and so that move is indefinitely delayed. Last year in an open meeting, the .cn (China) registry suggested that they might never be allowed to sign because the root keys are ultimately held by a US organisation, and so were concerned that if we ever got to a stage where many people were selecting option 3, then they would be effectively partitioned off from the rest of the Internet. I suspect political considerations like that will take some time to overcome. cheers Jay

Regards, Anton _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840

Reply

Sign in to reply online Use email software

5261

Age (days ago)

5261

Last active (days ago)

Download

2 comments

3 participants

tags

participants (3)

Anton Smith
Jay Daley
Sebastian Castro