Happy New Year!
I just got off a world-wide phone conference with the DNSSEC deployment working group. There was a good discussion on getting DNSSEC more widely deployed, including barriers and accelerators.
A big issue that people were worried about was the publication of TRUST-ANCHORS. How do people know they are trustable? Where do you go to get trust-anchors? How do you publish to a trust anchor repository? Should the registrars be involved?
So... let's be pragmatic and proceed with baby steps.
The TAR-fetcher program I mentioned in an earlier posting should be easily installed by a typical ISP using YUM or some equivalent installation program. When the program runs, it should allow some simple configuration settings to say which TARS it should fetch. (I call this "small", "medium" and "large") Now comes the baby steps...
To start, an operator wants to verify that nothing has broken by turning on DNSSEC. Only a few trust-anchors should be installed (maybe .gov, .org, .se and a few others).
After a trial period, the operator could change the configuration to "medium", which would include more trust anchors. Finally, "large" might include the trust anchors associated with .com or other miscellaneous anchors.
These baby steps allow for incremental optimization and experimentation... on a widespread basis with thousands of ISPs, enterprises and institutions.
As far as TAR-fetcher programs go, the auto-trust program from nlnetlabs (www.nlnetlabs.nl) is something worth looking at. Paul Wouters from Xelerance has proposed a utility program to configure and prime DNSSEC. I'll experiment with that and let you know the results in a future posting.
Comments