[dns-operations] DNSSEC DANE testing

Vernon Schryver vjs at rhyolite.com
Tue Jul 31 20:40:17 UTC 2012


> It's being worked on by people. For instance, it was important to
> get a libunbound version that used nss and not openssl, for various

I think it's more important for everyone who professes to care sign
their domain names, even if that means using ISC's trust anchor
until a TLD is signed.  See https://encrypted.google.com/search?q=isc+dlv
https://dlv.isc.org/

That one's registrar refuses DNSSEC is not a good excuse unless one wants
to be part of the conspiracy to protect the profits of pkix vendors.
("Conspiracy" is the wrong word, because I think NSI's opposition
to DNSSEC is not based on pkix margins that are not really threatened
by DANE or even really intentional, but merely a reflection of the
corporate culture seen since NSI took over from SRI.)

The counts on
http://scoreboard.verisignlabs.com/
http://scoreboard.verisignlabs.com/count-trace.png
http://scoreboard.verisignlabs.com/percent-trace.png
are looking good, but there is a long way to go.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list