On Aug 12, 2008, at 11:40 AM, Dean Anderson wrote:
DNSSEC has been deployed on large scale by some TLD's and RIR's
already.
It is very much operational.
Not very much--99 domains out of 70 million in .com.
As has been pointed out, .COM is not signed. The fact that there are
99 zones signed in .COM is actually a bit surprising and points out
one of the larger flaws with DNSSEC -- the assumption of a
hierarchical top-down trust model in a world where the likeliest
deployment model is bottom-up. For the signing of any of those
99 .COM zones to be useful, caching server operators have to manually
configure/update the trust anchors for each of those zones. That
obviously won't scale. And VeriSign hasn't exactly been chomping at
the bit to sign .COM, quite the opposite as I understand it.
Your argument would be stronger if you identified which TLD's and
which RIR's.
Last I checked:
.SE, .BG, .PR, and .BR have been signed.
RIPE-NCC signs the in-addr.arpa zones they are responsible for.
I have been told there are several more top-level domains that have
indicated they will be signing their zones before the end of the
year. The IAB has asked IANA to sign .ARPA and its child zones and
that process is underway, see https://ns.iana.org/dnssec/status.html
(unfortunately, that effort has been a bit blocked for non-technical
reasons). Others have indicated they are considering and/or
attempting to do so, but are constrained for various reasons. Plans
may have changed with the recent vulnerability announcements, but it
would be inappropriate for me to pretend to speak for those TLD
operators.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
