[dns-operations] thoughts on DNSSEC

[Peter Koch]

On Wed, Jul 18, 2012 at 08:46:38PM +0200, Jan-Piet Mens wrote:

> He or she may have the bright idea of checking at the TLD. A really
> marvelous example is to be seen [1] at DENIC, responsible for .DE:
> 
> Q: "How do I find a provider that supports DNSSEC?"
> A: "Please contact your domain provider to determine whether they
>     support DNSSEC."
> 
> Brilliant. </sarcasm>

I couldn't but smile seeing this tribute to Hofstadter's readers,
but there are aspects that make providing lists not an easy task,
as we have already learnt in this thread by reference to 'outdated'
such lists:

First, since DE allows for authoritative data within the DE zone
under certain conditions - and this data is signed with the DE key(s) -
that entry level support would be open to anyone.  Then, DENIC does
not require any technical flags or signup from the registrars for the
submission of key material, and even if, setting the flag would
not necessarily imply the registrar has already launched a product
or feature. Furthermore, there are registrars and resellers, sometimes
more than one level deep and either would use different products
and/or brand names, so that the statement 'registrar X supports DNSSEC'
might only apply to a certain set of customers.

Speaking of 'support' - that comes in two flavours, at least: being able
to accept key material and submit it to the registry and/or doing full
DNS operations.  While the latter is, strictly speaking, not covered by
the role model of a registrar (but of course also not precluded, indeed
current practice), it is what the customer sees in a product.
And speaking of the latter, the idea to have market demand disclosed to
the front-line actors ("your domain provider") doesn't sound too bad to me.

That said and ignoring signed authoritative data for a second, around 10%
of our members (~ registrars) do engage in DNSSEC, i.e., have submitted
key material for customers' domains.

-Peter (usual disclaimer applies)