Re: The problem I see with DNSSEC as a potential end user and administrator.

[Olaf Kolkman <olaf@NLnetLabs.nl>]

[This thread has gone off-topic, so has this reply]

On Aug 8, 2008, at 11:52 AM, Ondřej Surý wrote:

> 2008/8/8 Duane at e164 dot org <duane@e164.org>:
>> Ondřej Surý wrote:
>>
>>> So when you installed your DNS server infrastructure, was it just
>>> some "magic" command which caused all your domain names to be server
>>> by that servers?  Or did you have to make changes to config files,
>>> generate TSIG keys, configure primary, configure slaves, add zones
>>> to config file...
>>
>> apt-get scripts either prompt for more information or pre-config  
>> nearly
>> everything out of the box.
>
> No, it doesn't.  It just add some preconfiguration for rDNS, but it  
> doesn't
> setup your zones.  You have to add them manually.  Same with TSIG,  
> slaves,
> etc.
>
>>> I see kind of analogy here.  Available tools are bit rough at this  
>>> time,
>>> but it's magnituted better that it was half a year ago.
>>
>> What was, is meaningless to those that don't know or care, what is,  
>> is
>> all that matters if you are trying to sell DNSSEC to the unwashed  
>> masses
>> that aren't drinking the koolaid.
>
> Well, we don't need to sell it to masses.  We just need to educated  
> registrars,
> ISPs and big zone hosters, where people with (at least some) clue  
> works.
> And that's something what we are working on.




Ondřej Surý, Duane Groth,

You are both right.

We need the clueful folk to deploy and provide basic infrastructure,  
we need the clueful folk to build the tools, the devices and auto- 
scripts, and then we need the masses to make deployment a success. We  
are still at the beginning of the deployment curve.

But mind you. If you want to do DNSSEC in a no-brain fashion there are  
proprietary solutions already (just like there are proprietary  
solutions for plain-old DNSSEC management).

The design of management software is to a great extend off-topic for  
this list, unless we need protocols to make them interoperate.

We have RFC5011 to manage part of that (open-source implementation  
forthcoming) and numerous folk are working on key-maintenance tools.  
See for instance: http://www.dnssec-tools/, http:// 
www.opendnssec.org/, http://www.xtcn.com/ lamb/pkcs11HSMtools.tar.gz,  
and http://www.ripe.net/disi/dnssec_maint_tool/ are some initiatives I  
am aware of. ISC has announced work on tools for the next version of  
bind.

I would agree with claims that most of them are far from state-of the  
art, but the activity in this area is rapidly increasing.

Duane , you seem to be the kind of guy that knows both what end-users  
really need, and have the clue to spec and implement that ;-)

--Olaf

PS. I will keep an open eye on alternative protocol or operational  
practices that will help to bridge the gap between now and the time  
that DNSSEC has seen sufficient deployment to make it useful, but I  
will try to refrain from entering in future off-topic debates on this  
issue on this list.