two data points: - Comcast has greatly facilitated the e2e authentication model by funding DNSMASQ to support DNSSEC validation. Since this piece was missing, the landscape has changed. - Paul Hoffman has pulled together a functional replacement for the DNS APIs… see: http://www.vpnc.org/getdns-api/ This gets past the validator and into the Application.
I -think- that there is an actual path now for DNSSEC. If you are looking for opaqueness, consider this third bit: - http://www.isi.edu/ant/tdns/index.html … swaps out UDP for TLS as the DNS transport. YMMV of course. Chunks of this development and testing will no doubt occur in the ISI/RINOC testbed. /bill Neca eos omnes. Deus suos agnoscet. On 28April2014Monday, at 14:16, Trevor Freeman <trev...@exchange.microsoft.com> wrote: > Hi Noel, > > If DNNSEC is used in corporations, that may be an interesting data point but > perpass is specify looking at the interne so it does not help much. > > I understand they could be some benefit to adding some other filter to the > data but the number to try and try to add a better quality metric. But absent > that, the number is what is it. Happy to have the discussion on how we would > consider what to filter on and maybe Verisign could provide more attributes > with the data for use to mine the information. > > I did some ad-hoc research and amongst the prominent internet services or > financial institutions, the seems little evidence of DNSSEC. The only bright > spot seemed to be government web sites, though here the deployment was still > inconsistent in that government agencies have many web sites not part of the > base domain and these were often not signed. > > Trevor > > -----Original Message----- > From: perpass [mailto:perpass-boun...@ietf.org] On Behalf Of Noel David > Torres Taño > Sent: Monday, April 28, 2014 1:02 PM > To: perpass@ietf.org > Subject: Re: [perpass] Is DNSDEC a viable technology for perpass? > > El lun, 28-04-2014 a las 18:38 +0000, Trevor Freeman escribió: > > We have a range of technologies in the toolkit to address issues > > identified by perpass. > > > > > > > > One of the candidate technologies is DNSSEC. At a technology level it > > has much to commend it. > > > > > > > > The vast majority of critical TLDs are signed, so another good point > > in its favor. > > > > > > > > However when you look at the next tier down, the statistics point to a > > problem. > > > > > > > > According to the Verisign labs scoreboard, 340K+ domains in the .com > > namespace are secured by DNSSEC > > > > http://scoreboard.verisignlabs.com/ > > > > > > > > If you express that number as % that is about 0.4% and the growth > > trend is about 0.1% per year > > > > http://scoreboard.verisignlabs.com/percent-trace.png > > > > > > > > The trend seems about 2 orders of magnitude below where we need to be > > for DNSSEC to be viable in a realistic timescale. > > > > > > > > Am I misinterpreting the data? If not, then do we have consensus on > > what is blocking deployment? > > > > > > > > Trevor > > > > > > > Which are the numbers for .org ? > > This one should have a little percentage of garbage, parked domains, etc. > Moreover, it is kess used by corporations with large IT departments and more > used by small organizations like Libre Software projects. > > And it is very important to trust the software you download. > > Regards > > Noel > er Envite > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass