On Tue, Feb 25, 2014 at 09:07:13AM -0600, /dev/rob0 wrote:
> > Curious what others (especially Victor) think of this response.
> > Why are they 'firmly against' NSEC's 'enumeration of domains'
> > feature, and the comment about 'very real issues...'...
>
> Good questions. I don't know. I don't care. They shot their own
> credibility down.
My domains are (or will be when the transfer completes) signed with
NSEC3. RFC 5155 (NSEC3) was published in 2008. The root zone was
signed around 2010. DNSSEC is up and running.
- Not all registries support DNSSEC, if your ccTLD or other
parent domain is not signed, then you have to wait. The
root, ".com" and ".org" domains are signed, as are some ccTLDs
(.se, .nl, ...)
- Not all registrars support publication of DS records, enough
do, so moving to a competent registrar is generally not a
problem.
- All deployed DNSSEC validors support NSEC3. Many domains
publish NSEC3 only with no ill-effects.
- There is a "last mile" problem for DNSSEC. Mobile devices
at airports, hotels, public wifi hotspots may encounter
various difficulties for now. These are being worked on,
but don't affect MTAs very much. Most MTAs don't move
around.
- I don't think I should be recommending specific registrars.
There is an official list of .org registrars with a column
that indicates DNSSEC support. Pick one of those, if it
supports DNSSEC for your TLD or parent domain.
--
Viktor.
