On my flight from San Francisco to London this past weekend, I passed the one million mile mark. Those miles were logged over the course of years of flying with United and its partner airlines, but more than half of it was racked up while working for Infoblox, and a good portion of that while talking about DNSSEC.
What does one million miles of flying get you? On United, truthfully, not a whole lot. I’m now Premier Executive for life, which means that I get to board planes early and take up all your overhead storage space. I get to sit in the Economy Plus section of the aircraft for free. Woo. For the real perks — lifetime 1K status, equivalent to flying 100,000 miles per year — I need to fly three million miles. At the rate I’m earning miles, I’ll be so old by the time I hit that milestone that I wont want to fly anymore. And accruing miles any faster will earn me free membership in the Red Carpet Club for Recently Divorced Men.
But one million miles of flying, or whatever fraction of it I devoted to talking about DNSSEC, seemingly does buy you some progress in advancing the cause.
Now I don’t really think I moved the DNSSEC adoption needle in any measurable way, but I have noticed substantial changes on this trip. On my first stop, Zurich, our event featured a presentation by Alexander Gall from SWITCH, describing the signing of .CH and the infrastructure they employ to support it. At the event I just left in Noordwijk (in the Netherlands), Esther Makaay from SIDN talked about the signing of .NL, and the opening of registration of DS records to friends and family (next week, if I read my Dutch right).
I had only once before given a talk in a country with a signed top-level zone (in Sweden). (Well, you could argue that .US is signed. I don’t consider .US the top-level zone for the United States, though, just one of several.) This trip, the majority of the countries I’m visiting have signed top-level zones: My talk tomorrow is in London, and of course .UK is signed.
That’s good news for the DNS community. For people living in these countries, it’s one fewer impediment to the widespread adoption of DNSSEC and a very significant one. The burden now shifts to registrars and registrants in these countries: Registrars must provide support for DNSSEC to their customers, and registrants must sign Internet-facing zones and register Key-Signing Keys through their registrars. If their registrars don’t support DNSSEC and have no plans to, well, I’d say they’re not serious about the security of DNS and ought to be given an ultimatum: Provide a concrete commitment to support DNSSEC in the next 12 months or get ready for a domain transfer.