[dns-operations] summary of recent vulnerabilities in DNS security.

Rubens Kuhl rubensk at nic.br
Tue Oct 22 21:53:41 UTC 2013


Em 22/10/2013, às 18:06:000, Michele Neylon - Blacknight escreveu:

> 
> On 22 Oct 2013, at 20:28, Jared Mauch <jared at puck.nether.net>
> wrote:
>>> 
>> 
>> It's difficult because there is not universal support amongst registrars.  Once again the wheel gets stuck when the technical side meets the business side.  
> 
> It's not entirely "business" that causes the issues .. 

.nl and .cz got massive registrar adoption to DNSSEC offering business incentives, so it seems business side accounts for most of it. 

> 
> Registry operators do not have a consistent or uniform way of implementing DNSSEC, which makes integration more complex for registrars.

Do you mean sec-DNS 1.0 (RFC 4310) x sec-DNS 1.1 (RFC 5910)?  DS or DNSKEY ? Both ? My guess is that sec-DNS 1.1 with DS and DNSKEY would work for all DNSSEC-signed EPP TLDs... 

> 
> If, as a registrar, we only offered .com then it would be one thing, but that's not the case .. 

Considering RFC 5910 is mandatory for all new gTLDs, and with that requirement being extended to gTLD renewals (.info, .biz, .org), it seems implementing RFC 5910 cuts it. Even ccTLDs like .br (and others for sure) follow RFC 5910. 


Rubens










More information about the dns-operations mailing list