On Tue, Nov 10, 2015 at 05:00:03PM +0100, Benny Pedersen wrote:
> Here is my story on DNSSEC
This is but an anecdote, let's not promulgate too many of those...
> When I used junc.org for email it was not possible to have the DS record
> added to registra holder, api missed, so i got the advise from my dns server
> admins to get a eu tld domain, so i got junc.eu, this domain was DNSSEC at
> that stage without doing anything
All the original gTLD domains (edu, gov, mil, org, net, com) are
signed. With signed TLDs what matters is the choice registrar.
If your current registrar does not support DNSSEC, you can generally
find another that does.
All new gTLDs created under the recent gTLD expansion are signed.
At this time, the unsigned TLDs are 142 of the 247 two-letter ccTLDs:
ae. ai. al. ao. aq. as. ax. az. ba. bb. bd. bf. bh.
bi. bj. bm. bn. bo. bs. bt. bv. bw. cd. cf. cg. ci.
ck. cm. cu. cv. cw. cy. dj. dm. do. dz. ec. eg. er.
et. fj. fk. fm. ga. gb. ge. gf. gg. gh. gm. gp. gq.
gt. gu. gw. gy. hk. hm. ht. il. im. iq. ir. it. je.
jm. jo. kh. km. kn. kp. kw. kz. lr. ls. ly. ma. mc.
md. mg. mh. mk. ml. mo. mp. mq. mr. ms. mt. mu. mv.
mw. mz. ne. ng. ni. np. nr. om. pa. pf. pg. ph. pk.
pn. ps. py. qa. ro. rs. rw. sa. sd. sg. sk. sl. sm.
sn. so. sr. st. sv. sy. sz. tc. td. tg. tj. tk. to.
tr. uz. va. vc. ve. vg. vi. vn. ws. ye. za. zw.
and the below:
aero. xn--d1alf. xn--mgbpl2fh.
coop. xn--fzc2c9e2c. xn--mgbtx2b.
int. xn--j1amh. xn--node.
mobi. xn--j6w193g. xn--ogbpf8fl.
pro. xn--lgbbat1ad8j. xn--qxam.
tel. xn--mgb9awbf. xn--wgbl6a.
travel. xn--mgba3a4f16a. xn--xkc2al3hye2a.
xn--80ao21a. xn--mgbaam7a8h. xn--yfro4i67o.
xn--90a3ac. xn--mgbayh7gpa. xn--ygbi2ammx.
xn--90ais. xn--mgbc0a9azcg.
xn--clchc0ea0b2g2a9gcd. xn--mgberp4a5d4ar.
There are 106 IDNA (xn--punycode encoded UTF-8) TLDs, of which 82
are signed and 24 are not. There are 1103 TLDS in total, of which
930 are signed and 173 are not. So mostly the laggards are the
ccTLDs. (At least there's something that ".il", ".ir" and ".sa"
appear to agree on. Just a joke, no political sub-thread please).
> Summary, it depends on the tld, and how much work the selected dns server
> does for domain owners
Yes, the TLD needs to be signed, but most are. Choose the right
registrar.
The real obstacle to DNSSEC deployment is coming to grips wit the
tools (which are still improving). I use BIND's:
auto-dnssec maintain;
inline-signing yes;
in an authoritative-only server. And I have a monitoring script
that makes noise any time a secondary or master has RRSIGs too
close to expiration, NS records that don't match the parent
delegation, ...
--
Viktor.
