>> I think it's fair to say that we're still a long way away from broad >> DNSSEC adoption. This doesn't mean we should ignore it, but it does >> mean that non-DNSSEC approaches like the one here are worth thinking >> about. > >Quite fair, though DNSSEC adoption does not happen in a vacuum, there >have to incentives to do it. If the large providers got enough round >twoits and implemented DANE/DNSSEC for their domains, there would be >a stronger incentive for others to follow suit.
It's more complicated than that. Google has said that they could turn on DNSSEC for their domains if they wanted, but there's still enough stuff that breaks other places that they won't. On my tiny system, I have about 300 zones, all signed, but I've only been able to install parent DS records for about half of them, my own and ones for which I'm the registrar reseller. A few are in TLDs that still don't do DNSSEC, gTLDs .aero and .travel, for example. The rest are registered by other people, and although the registries have delegated DNS to me, I have no practical way to tell them what DS records to use. There's some work in dnsop to try and fix that, see draft-dnsop-ogud-maintain-ds R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
