On Tue, Feb 25, 2014 at 08:21:14AM -0500, Charles Marcus wrote: > On 2/24/2014 3:52 PM, /dev/rob0 <r...@gmx.co.uk> wrote: > >On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote: > >>Oh yes - DNSSEC. When will it come? In hundred years? > > > >Dirk, do you mind explaining this? Are you having trouble > >finding DNSSEC-enabled DNS hosting? > > Well, here is what mine (DNSMadeEasy) says on the subject: > > >After seeing others in the Managed DNS space fail to properly > >maintain these processes for customers and the headaches (and > >nightmares) that come from not properly implementing these > >processes, we have been very careful in approaching this > >difficult task.
That sounds very reasonable. > and > > >DNS Made Easy is monitoring the DNSSEC RFCs and their progress > >on the standards track. That progress was completed for RFC 4035 in March 2005, nine years ago! Credibility begins to slip away. > >We will not consider implementing DNSSEC until NSEC3 > >becomes widely implemented as NSEC allows domain enumeration > >(which we are firmly against). This is absurd. NSEC3 is available now, of course, and it has been for many years. The absurdity is that the choice of NSEC3 or not belongs to the domain owner, no one else. Zone enumeration (or "walking") is only a problem if the domain owner thinks it is. Are they saying that they want to see a certain percentage of domain owners adopt NSEC3? How would they determine this? And what is the point? > >The root (.) domain is not signed and will not be signed > >for some time (if ever). Plans to sign the root were announced in mid 2009, five years ago! Discussions leading to that announcement go back even further. At this, your provider admits to having been out of touch in excess of five years. > >There are currently some very real issues with DNSSEC key > >authentication, distribution, management, and revocation. DNS > >Made Easy will continue to evaluate DNSSEC implementation as > >these issues with the RFCs are resolved. And these issues are ... ? And I should listen to someone who has been out of touch with the DNS world over five years because ... ? > >Until the issues with DNS sec are resolved we will not consider > >implementing it with our primary service. I don't see this > >happening for a few years. > > Curious what others (especially Victor) think of this response. > Why are they 'firmly against' NSEC's 'enumeration of domains' > feature, and the comment about 'very real issues...'... Good questions. I don't know. I don't care. They shot their own credibility down. > Anyone have any recommendations for decent DNS Service Providers > that don't cost an arm and another arm (DNSMadeEasy is really > inexpensive, and their service has been awesome for the 3+ years > we've been using them), and that are known to 'do DNSSEC' right? Beyond what I said upthread, I am not sure. One thing worth mentioning: the New Way in the DNSSEC Age expects domain owners to run their own signing (probably "stealth") master nameservers. As I told Dirk, those who can run Postfix won't have a problem with this. DNSSEC-enabled providers are likely to do it the way GKG and Linode do: offering DNSSEC as slave/secondary servers only. This way your keys are yours: they have real meaning, and you have real control. But that's still too geeky for some. When someone comes along who will do it all: register a domain, host it, sign it when the user clicks a checkbox: that will be hot. Maybe there are such providers now, but I haven't heard of them yet. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
