[AusNOG] What's even less popular than IPv6? DNSSEC!

Mark Prior mrp at mrp.net
Tue May 24 23:49:52 EST 2016


On 24/05/2016 22:42, Chris Jones wrote:
> 
>> On 24 May 2016, at 9:20 PM, Mark Prior <mrp at mrp.net> wrote:
>>
>> I've added a test for DNSSEC deployment to my existing IPv6 survey and
>> it's not pretty. Looking at the section that lists the organisations
>> that attended AusNOG2 shows no organisations (aside from me) using
>> DNSSEC on their domain and other sections are just as bare.
>>
>> <http://www.mrp.net/ipv6_survey/#ausnog>
>>
>> The obvious question is why isn't DNSSEC being deployed?
> 
> We’ve had trouble with registrars and DNSSEC support.  A bunch (* non-scientific research here) of them simply don’t support it, or support it via manual processes.
> 
> You thought ipv6 glue records were a pain, try getting DS records rotated...
> 
I haven't tried rotating the DS records but I've used both Gandi and
GoDaddy and they've been relatively painless system to install the DS.

My survey page identifies sites that have signed elements within their
zone but not completed the chain of trust (tagged as TRUST), which you
could do without dealing with your parent zone, and that doesn't show
much activity.

Mark.


More information about the AusNOG mailing list