dnssec

[Wolfgang S. Rupprecht]

All this talk of spoofing attacks got me to get off my duff and
configure dnssec for the ~dozen zones I'm authoritative for.  Sadly it
looks like that dozen may have put a noticeable blip into the number
of production zones using dnssec.  (ref: http://secspider.cs.ucla.edu/
-- 970 production zones using both ksk's and zsk's, 10,552 if you also
count the zones that only use one key etc.) Sigh. Seeing how there are
over 100M domains in existence this isn't a very high percentage.

The question is, what is the hang up?  Are the computational resources
needed much higher?  Does the added dnssec traffic cause a significant
increase in bandwidth?  Short of moving to Sweden, are there any TLD's
that will sign one's dnssec records today?  A quick check seemed to
indicate that most promising candidate is "org.", but that won't be
open to the general public till 2010 according to their timetable.
The others don't seem to even have a public timetable.  A quick trip
to the ARIN website doesn't show anything promising there either.  I
guess I really didn't want to register my rDNS keys after all.  

Is there something a lowly end-user should be doing to make this all
work?

-wolfgang
-- 
Wolfgang S. Rupprecht			http://www.wsrcc.com/wolfgang/