Lutz Donnerhacke wrote:
While I am generally the first to bash VSRN, I must say that I am forever thankful to them for this.
Please stay away from your US centric view. Verisign did provide a testbed for NSEC3. That does not mean, that they are the sole inventor of everything. BTW, Most of my wording came from the NLNet Labs press release. There was some irony in my original sentence. Being sometimes considered by the Americans as an EU undercover agent, I find it refreshing to be called US centric.
Jokes aside, it is healthy to have another DNS resolver which does not use the Bind code and is under active development. I do use Unbound in production and as you may know, I have contributed some input for its binary packaging in Linux distributions.
DNSSEC suffers the same issue as IPv6 that prevents wide deployment.
No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure, that DNSSEC is much much easier. You do not need to touch every device in the net. Only the DNS servers.
I give them such a tool. They can pay for remote signing. But they should do it themself in the medium term. Those are their zones.
Until such tool is included as a standard feature in mainstream OSes and/or registrar web interfaces, I am afraid DNSSEC will not reach critical mass. This is where I think ALAC can help, it the sense it is well placed to talk to registrars to get it included in their range of off-the-shelf services. Ditto for IPv6 glue records. -- Patrick Vande Walle Check my blog: http://patrick.vande-walle.eu