IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Otmar Lendl <lendl@nic.at> Fri, 08 August 2008 14:09 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 582F43A6D77; Fri, 8 Aug 2008 07:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.227
X-Spam-Level:
X-Spam-Status: No, score=-1.227 tagged_above=-999 required=5 tests=[AWL=0.397, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AT=0.424, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EDLeLHdbxJCV; Fri, 8 Aug 2008 07:09:12 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 661793A6CE2; Fri, 8 Aug 2008 07:09:12 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRSXl-000LdG-Ms for namedroppers-data@psg.com; Fri, 08 Aug 2008 14:02:13 +0000
Received: from [88.198.34.164] (helo=mail.bofh.priv.at) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <lendl@nic.at>) id 1KRSXe-000LbX-Jz for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 14:02:08 +0000
Received: from [10.10.0.107] (nat.labs.nic.at [83.136.33.3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bofh.priv.at (Postfix) with ESMTP id F10A04D41C for <namedroppers@ops.ietf.org>; Fri, 8 Aug 2008 16:02:01 +0200 (CEST)
Message-ID: <489C5202.4080405@nic.at>
Date: Fri, 08 Aug 2008 16:02:42 +0200
From: Otmar Lendl <lendl@nic.at>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl> <489B09FE.8050701@e164.org> <49451.1218124457@nsa.vix.com>
In-Reply-To: <49451.1218124457@nsa.vix.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Paul Vixie wrote:
>
>   which is not to say
> that dnssec is easy -- i know that at ISC we're thinking seriously of
> dedicating the whole BIND 9.7 release to dnssec tools and usability.

This is a good idea.

We really need a single checkbox "Automatically sign all my zones" in the 
nameserver implementations.

That, and not the protocol itself is holding up DNSSEC deployment. IMHO and 
all that.

But back to the namedropper charter:

  * Are there any open protocol issues which make such a "single checkbox"
    deployment of DNSSEC impossible?

  * In order to facilitate this, we need automatic DS generation in the
    parent zone, and means to deal with lost keys and other
    "crypto-emergencies". Is this all defined?

What I really want is a Debian upgrade which just asks for my confirmation 
to enable DNSSEC on my box without any further interactions.

/ol
-- 
// Otmar Lendl <lendl@nic.at>, T: +43 1 5056416 - 33, F: - 933 //

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email