DANE of SMTP Survey

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It appears that Tom Ivar Helbekkmo via NANOG <tih at hamartun.priv.no> said:
>Jeroen Massar via NANOG <nanog at nanog.org> writes:
>
>> No, not even kidding. For many organisations DNSSEC is 'scary' and a
>> burden as it feels 'fragile' for them.
>
>Unfortunately, yes.  And those of us who use it know that this is a
>myth.  With modern software, DNSSEC is quick and easy to set up, and
>works just fine, with no reason for any problems. ...

I wish that were true.  I have signed all 300 zones on my DNS
servers, but only about half of them have working DNSSEC because there
is no practical way to install the DS records.  For names that are
registered through my registrar reseller account, it's easy since my
registrar (Tucows) has an API.  But for the rest of them that my
users have registered somewhere else, either I have to try and walk
them through the process of uploading the DS data themselves, or
they have to give me their account passwords, neither of which is
workable if you have 100 domains, much less thousands.

I know about CDS, and have tried publishing CDS, but none of my
unsigned domains are at the handful of registries that do CDS
bootstrapping.

I've been grousing about this at the IETF and ICANN for years,
people say yes, that's a problem, and nothing happens.

• Previous message (by thread): DANE of SMTP Survey
• Next message (by thread): DANE of SMTP Survey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]