Re: The problem I see with DNSSEC as a potential end user and administrator.

" Ondřej Surý " <ondrej.sury@nic.cz> Fri, 08 August 2008 09:56 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1DDCE3A6CB4; Fri, 8 Aug 2008 02:56:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.752
X-Spam-Level: ****
X-Spam-Status: No, score=4.752 tagged_above=-999 required=5 tests=[AWL=-0.375, BAYES_50=0.001, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, MIME_ASCII0=1.5, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzH3PDC60hxM; Fri, 8 Aug 2008 02:56:04 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0555C3A6C9E; Fri, 8 Aug 2008 02:56:04 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KROdq-000EvS-C8 for namedroppers-data@psg.com; Fri, 08 Aug 2008 09:52:14 +0000
Received: from [64.233.182.185] (helo=nf-out-0910.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <ondrej.sury@nic.cz>) id 1KROdl-000Eul-Q5 for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 09:52:12 +0000
Received: by nf-out-0910.google.com with SMTP id g13so810451nfb.11 for <namedroppers@ops.ietf.org>; Fri, 08 Aug 2008 02:52:08 -0700 (PDT)
Received: by 10.210.58.17 with SMTP id g17mr5206245eba.190.1218189128291; Fri, 08 Aug 2008 02:52:08 -0700 (PDT)
Received: by 10.210.121.1 with HTTP; Fri, 8 Aug 2008 02:52:08 -0700 (PDT)
Message-ID: <e90946380808080252r35e88807v15e904d10c73cb76@mail.gmail.com>
Date: Fri, 08 Aug 2008 11:52:08 +0200
From: Ondřej Surý <ondrej.sury@nic.cz>
To: Duane at e164 dot org <duane@e164.org>
Subject: Re: The problem I see with DNSSEC as a potential end user and administrator.
Cc: Namedroppers <namedroppers@ops.ietf.org>, Mark Andrews <Mark_Andrews@isc.org>, Paul Vixie <paul@vix.com>, bert hubert <bert.hubert@netherlabs.nl>
In-Reply-To: <489C140C.60205@e164.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Content-Disposition: inline
References: <489BE047.1010100@e164.org> <e90946380808080203g65c99a72meca9db15c1194df1@mail.gmail.com> <489C0E08.3040406@e164.org> <e90946380808080218n7acddd46gd99d39fa71edcb26@mail.gmail.com> <489C112A.8000306@e164.org> <e90946380808080232w756e1123u2237fa1ac846173f@mail.gmail.com> <489C140C.60205@e164.org>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

2008/8/8 Duane at e164 dot org <duane@e164.org>:
> Ondřej Surý wrote:
>
>> So when you installed your DNS server infrastructure, was it just
>> some "magic" command which caused all your domain names to be server
>> by that servers?  Or did you have to make changes to config files,
>> generate TSIG keys, configure primary, configure slaves, add zones
>> to config file...
>
> apt-get scripts either prompt for more information or pre-config nearly
> everything out of the box.

No, it doesn't.  It just add some preconfiguration for rDNS, but it doesn't
setup your zones.  You have to add them manually.  Same with TSIG, slaves,
etc.

>> I see kind of analogy here.  Available tools are bit rough at this time,
>> but it's magnituted better that it was half a year ago.
>
> What was, is meaningless to those that don't know or care, what is, is
> all that matters if you are trying to sell DNSSEC to the unwashed masses
> that aren't drinking the koolaid.

Well, we don't need to sell it to masses.  We just need to educated registrars,
ISPs and big zone hosters, where people with (at least some) clue works.
And that's something what we are working on.

Ondrej
-- 
 Ondřej Surý
 technický ředitel/Chief Technical Officer
 -----------------------------------------
 CZ.NIC, z.s.p.o. -- .cz domain registry
 Americká 23,120 00 Praha 2,Czech Republic
 mailto:ondrej.sury@nic.cz http://nic.cz/
 sip:ondrej.sury@nic.cz tel:+420.222745110
 mob:+420.739013699 fax:+420.222745112
 -----------------------------------------