All this talk of spoofing attacks got me to get off my duff and configure dnssec for the ~dozen zones I'm authoritative for. Sadly it looks like that dozen may have put a noticeable blip into the number of production zones using dnssec. (ref: http://secspider.cs.ucla.edu/ -- 970 production zones using both ksk's and zsk's, 10,552 if you also count the zones that only use one key etc.) Sigh. Seeing how there are over 100M domains in existence this isn't a very high percentage.
The question is, what is the hang up? Are the computational resources needed much higher? Does the added dnssec traffic cause a significant increase in bandwidth? Short of moving to Sweden, are there any TLD's that will sign one's dnssec records today? A quick check seemed to indicate that most promising candidate is "org.", but that won't be open to the general public till 2010 according to their timetable. The others don't seem to even have a public timetable. A quick trip to the ARIN website doesn't show anything promising there either. I guess I really didn't want to register my rDNS keys after all. Is there something a lowly end-user should be doing to make this all work? -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
