Re: [EURO-Discuss] ALAC-WG on DNSSEC
On Mon, Sep 01, 2008 at 01:59:34AM +0200, JFC Morfin wrote:
At 01:04 01/09/2008, Lutz Donnerhacke wrote:
Please understand why the IANA >signed root is not considered as production ready: They do construct errors in the zone to see how clients in the testbed react.
So, you mean they actually are working actively on deploying DNSSEC without anyone being informed?
Why did you not inform yourself before blaming others? http://ipv6.google.com/search?hl=de&q=ns.iana.org%2Fdnssec%2Fstatus.html
I understand now why brother Danny teases us in asking if this is not a too urgent matter for ALAC :-)
DNSSEC is one of the current activities of ICANN and therefore a current matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the ALSes, and the users out there. Because AtLarge should guide the process, the ALSes should think about this subject. That's why I like to have a track on the summit.
Please do not spread such FUD. Either you know that they pay for or drop your suggesting wordings here.
I just read their own stuff and look at their welcome page. http://www.unbound.net/
: About Unbound : ~~~~~~~~~~~~~ : Unbound is a validating, recursive, and caching DNS resolver. : : The C implementation of Unbound is developed and maintained by NLnet Labs. : It is based on ideas and algorithms taken from a java prototype developed by : Verisign labs, Nominet, Kirei and ep.net. : : Unbound is designed as a set of modular components, so that also DNSSEC : (secure DNS) validation and stub-resolvers (that do not run as a server, but : are linked into an application) are easily possible. : : The source code is under a BSD License. [cut download sources] : Support : ~~~~~~~ : Unbound is being maintained by NLnet Labs, a not for profit, public benefit : foundation. Problems can be reported through the bugzilla webinterface. In : the case we stop supporting the product we will announce such two years in : advance. Of course. Unbound is sponsored by Verisign and the code was written by the big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.
No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure, that DNSSEC is much much easier. You do not need to touch every device in the net. Only the DNS servers.
You need to touch _every_ resolver otherwise it does not make sense, except for merchants. We do not want they have an alibi to control us and charge us more. We want to be protected, including from them. The real daily danger for people's DNS are ISP name servers. Not a big one but a real one.
You only have to touch your last trustworthy DNS server for providing DNSSEC validation. The clients are usually not involved. The application software is usually not involved. You only have to touch your authoritive DNS server for providing DNSSEC. That's why the introduction of DNSSEC is much easier than any IPv6 rollout. ------------------------------------------------------------------------ I do not want to talk about my business here. I try to keep it separate. So if you do not want to read about commericial issues, please stop reading. ------------------------------------------------------------------------
I give them such a tool. They can pay for remote signing. But they should do it themself in the medium term. Those are their zones.
Is that in some beta form?
No, it's productive.
Do you have a documentation?
Yes, but currently it's in German only.
How much do you charge?
For DNSSEC remote signing between one and ten Euro per zone and month. This covers the managment costs, which relate mostly with the customer accounts, not the amount of zones to sign. Futhermore there are extra QoS fees for exclusive ressouce allocation: Maximum signing delay, life signing, ... Those costs are calculated to pay the some what expensive special hardware. We do not offer overbooked services.
How do the user consider this service: as something they prefer you do for them? that their ISP should eventually provide? etc.
This service is for companies, ISPs, and registrars who need to implement DNSSEC now, but need time to adapt their infrastructure, train their admins and hotline, and rewrite the tool chains. We offer them to buy time.
I do not think there is a DNSSEC business plan as such (as explained to Danny),
My explaination does contain some useful business cases even for the private user.
but if there can be some business plans already for some services, this is a good news as it would certainly help (and hamper, because there would be in addition a young industry to deal with in case we want upgrades). These are certainly things important to know from you.
I hope, I made my point clear enough without promoting commerical issues too much. Do you have further questions?
At 11:03 01/09/2008, Lutz Donnerhacke wrote:
On Mon, Sep 01, 2008 at 01:59:34AM +0200, JFC Morfin wrote:
At 01:04 01/09/2008, Lutz Donnerhacke wrote:
Please understand why the IANA >signed root is not considered as production ready: They do construct errors in the zone to see how clients in the testbed react.
So, you mean they actually are working actively on deploying DNSSEC without anyone being informed?
Why did you not inform yourself before blaming others? http://ipv6.google.com/search?hl=de&q=ns.iana.org%2Fdnssec%2Fstatus.html
I blame no one. I just infer from your semantic (and side echoes from ccNSO) that the actual purpose is not technical validation but production, while production implies much more than technical validation.
I understand now why brother Danny teases us in asking if this is not a too urgent matter for ALAC :-)
DNSSEC is one of the current activities of ICANN and therefore a current matter for ALAC. One might ask if DNSSEC is too urgent for AtLarge, the ALSes, and the users out there. Because AtLarge should guide the process, the ALSes should think about this subject. That's why I like to have a track on the summit.
This is correct. However, my question is for the ALAC (on behalf of the users) to decide first that DNSSEC / EDNS0 and NSEC3 is the way to go, technically, strategically and politically wise. The role of an advisory committee is to just that, not to copy others' positions. In the process ALAC should also come with additional DNSSEC deployment advises about the user side and the global consistency. For example, I raised the question at the IETF/WG-IDNABIS of the DNSSEC + IDN + IDNccTLD datagram size. When you consider the real status of the Internet (http://www.caida.org/workshops/wide/0801/slides/castro-ditl_comparison.pdf) you see that the EDNS0 proportion decreases. This means that both DNSSEC and IDNA will call for an EDNS oriented promotion campaign, IPv6 can only benefit from. Would that not be the proper time to review the whole thing and build upon the synergy to base everything on an EDNS1 everyone could easily load (those to make aware and those who already have understood why they needed ENDS0)?
Please do not spread such FUD. Either you know that they pay for or drop your suggesting wordings here.
I just read their own stuff and look at their welcome page. http://www.unbound.net/
Of course. Unbound is sponsored by Verisign and the code was written by the big, bad, and ugly NSA agents. ... Sorry, please let keep us on safe grounds.
If this is your position I leave it to you. If it is supposed to a joke at mine, I afraid you are totally out target :-)
No. From the experience of roll out IPv6 as well as DNSSEC, I'm pretty sure, that DNSSEC is much much easier. You do not need to touch every device in the net. Only the DNS servers.
You need to touch _every_ resolver otherwise it does not make sense, except for merchants. We do not want they have an alibi to control us and charge us more. We want to be protected, including from them. The real daily danger for people's DNS are ISP name servers. Not a big one but a real one.
You only have to touch your last trustworthy DNS server for providing DNSSEC validation. The clients are usually not involved. The application software is usually not involved.
You only have to touch your authoritive DNS server for providing DNSSEC.
That's why the introduction of DNSSEC is much easier than any IPv6 rollout.
As Euralo we have no Chinese user online. It would be interesting to know from them. Or from Comcast.
------------------------------------------------------------------------ I do not want to talk about my business here. I try to keep it separate. So if you do not want to read about commericial issues, please stop reading. ------------------------------------------------------------------------
Thank you for your answers. They are not commercial and show: 1) this is an operational market 2) for professionals who plan to run DNSSEC by their own in the future. I suppose it could be carried further on for private users. 3) the industrial cost is not prohibitive and will probably decrease if industrialised for end users. So there is a possible side-business plan. 4) the service would be operated for the time being by real professionnals, so they would be flexible to system updates. 5) there are business cases that can be documented even for private users. We could have most this information at the ALAC summit, through your presentation. This would therefore help us very much to best assess an ICANN and/or DHS DNSSEC-Bis strategic plan and to possibly improving it as a DNSSEC-Ter user and an IPv6/ROAP/BGP/NSEC3/EDNS1/ML-DNS/ISO11179 oriented consistent review. This is really great. First time in years that we can have an @large feed-back to the IETF/ICANN. jfc
participants (2)
-
JFC Morfin -
Lutz Donnerhacke