I recently did five talks in Europe on threats to DNS, leading up to the need to deploy DNSSEC. Several audiences asked me for my opinion on the right time to implement DNSSEC. Clearly, the lack of signed parent zones is an impediment for most of us: Unless your zones are children of .se, .cz, .br, .bg, or one of the few other signed TLDs, you’d need to distribute your zone’s public key to everyone you’d like to validate your zone data. That doesn’t scale, right?
Actually, that depends. I went for a run in Copenhagen one morning and got hopelessly lost. While wending my way through the quaint streets, I saw the logos of lots of prominent Danish companies. And I realized that if you’re a big player in a European country, say a Danish bank, you could probably sign your Internet-facing zones and walk your public key over to the three largest ISPs in Denmark in an afternoon. (Or you could give it to me and I’ll drop it off while trying to find my way back to the Hotel Sankt Petri.) This is just a guess, but in Denmark, that might cover half of consumer Internet users or even more – well worth doing! And the first mover could crow about their more secure Internet presence and turn it into a competitive advantage, thereby cowing competitors into signing their external zones, too.
Certainly this technique won’t work everywhere, but it might even work here in the U.S. for a company with a high enough profile, like eBay of Bank of America. It’d be harder to get 50% of consumer Internet users, but if you could line up a few key ISPs, like AT&T, Verizon and Comcast (who are already running a DNSSEC validation trial), that’d be a good start.
What do you think? Are there other ways to jumpstart DNSSEC deployment?