If I understand it correctly, and from my own point of view, the main
hangup is that the root zone and TLDs aren't signed. I can't help but
feel that if the TLD registrars (e.g. Nominet for .uk, EurID for .eu
etc) signed their root/TLD zones and set the standard, plenty more zone
admins would see the benefits and do the same. Sure ISC has a dnssec
verifying system, but that's just added traffic to another network (if I
understand correctly, for each zone in the "domain tree", a resolver
would have to contact ISC as well as the normal nameservers in the

I have it on my list of todos to sign my own zones fairly soon, but
that's only another 20 or so in the grand scheme of things.


Wolfgang S. Rupprecht wrote:
> All this talk of spoofing attacks got me to get off my duff and
> configure dnssec for the ~dozen zones I'm authoritative for. Sadly it
> looks like that dozen may have put a noticeable blip into the number
> of production zones using dnssec. (ref: http://secspider.cs.ucla.edu/
> -- 970 production zones using both ksk's and zsk's, 10,552 if you also
> count the zones that only use one key etc.) Sigh. Seeing how there are
> over 100M domains in existence this isn't a very high percentage.
> The question is, what is the hang up? Are the computational resources
> needed much higher? Does the added dnssec traffic cause a significant
> increase in bandwidth? Short of moving to Sweden, are there any TLD's
> that will sign one's dnssec records today? A quick check seemed to
> indicate that most promising candidate is "org.", but that won't be
> open to the general public till 2010 according to their timetable.
> The others don't seem to even have a public timetable. A quick trip
> to the ARIN website doesn't show anything promising there either. I
> guess I really didn't want to register my rDNS keys after all.
> Is there something a lowly end-user should be doing to make this all
> work?
> -wolfgang