[dns-operations] darkreading article on EDU signing

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Sep 11 09:38:51 UTC 2009

On Thu, Sep 10, 2009 at 02:23:37PM -0700,
 Michael Sinatra <michael at rancid.berkeley.edu> wrote 
 a message of 18 lines which said:

> 'And DNS administrators won't consider going DNSSEC until the root is  
> signed, Kaminsky says. "None of this work is operationally useful until  
> the day the root is signed," he says....'
> Really?

He's right. Very few resolver admins will activate DNSSEC validation
as long as it means managing dozens of different trust anchors, each
published in a different way. 

Either they won't activate validation (the most probable case) or they
will activate it only for one or two TLD (".gov" for the US federal
agencies, for instance) or may be they will use DLV but it seems that
many people (wrongly) hesitate (Kaminsky does not even mention it, as
a solution to the signing-of-the-root problem).

The rest of the article is very correct, too:

> "A lot of organizations don't have DNS experts sitting around, and a
> lot of operators don't understand it," Tumuluri says. "This is a big
> challenge. And DNSSEC adds a whole new dimension of complexity to
> DNS operations, which could cause problems. There will be slow
> movement to it because people don't want to take big leaps and screw
> things up."

More information about the dns-operations mailing list