Internet2 Network Security SIG

[Karl Reuss <>]

Maybe tedious isn't the right word.   Overwhelming?    I just run a very 
unscientific test with a few scripts.   I looked at all speakers for the 
upcoming TechEX and grepped for 'University'.  I found 42 corresponding .edu 
DNS names, but only three of them have DS records.  upenn.edu is one of the 
few.  Something is slowing the adoption of DNSSEC in higher-ed.

-Karl


On 12/6/19 11:58 AM, O'Brien, John W wrote:
> "DNSSEC is tedious to setup" sounds like it harkens back to the early 
> (dark) days of DNSSEC. My experience lately is that DNSSEC validation 
> couldn't possibly be easier to setup---some implementations have even 
> started enabling it by default---and that signing is quite straight 
> forward. Maybe that means I should give one of these tutorials of which you 
> speak. __ 
>
> On 2019/12/06, 11:21, " on behalf of Karl Reuss" 
> < on behalf of > wrote:
>
>     On 12/5/19 9:13 PM, John Kristoff wrote:
>     > Alternatively, an Internet2 owned and operated authoritative,
>     > secondary, or resolver service might also be a worthwhile member
>     > benefit to take advantage of.  If Internet2 could run some anycast
>     > instances for us to secondary on as part of our membership fee or for
>     > a nominal fee, that would be really, really nice.
>     >
>     
>     This is an excellent idea!
>     
>     
>     I would add DNSSEC tutorials to the list.  DNSSEC is tedious to setup, 
> but helps with hardening both the authoritative and recursive sides of DNS.
>     
>     
>     -Karl
>     
>     
>     
>     
>