[dnssec-coord] Thoughts on when to designate a newgTLD as "Operational" in DNSSEC deployment maps?

Steve Crocker steve at shinkuro.com
Tue Apr 15 15:04:42 PDT 2014


Background, which you know but others may not:

For the ccTLDs, I was indeed using direct reporting and accepting whatever a reliable contact for the ccTLD operator reported.  (There is also a field to encode the likely credibility of the data.  If it comes from someone in the TLD registry itself, the code is 3.  If it comes from someone in a related operation, e.g. a registrar, the code is 2.  Anything else is 1.  The only thing more reliable is automated testing, which gets a code of 4, and that applies only to those pieces of data that are directly testable, e.g. DS in the root at the time of probing.)

As you’ve pointed out, this is labor intensive and doesn’t scale very well.  I basically like your idea, but instead of arbitrarily picking a threshold, how about talking to a small handful of the registries to find out what their process is for moving from “partial”, e.g. the SOA is signed, to “operational”, i.e. accepting signed delegations.



On Apr 15, 2014, at 4:05 PM, Dan York <york at isoc.org> wrote:

> DNSSEC-coord members,
> I have a question upon which I'd love your advice/feedback.  In the DNSSEC Deployment Maps[1] that we distribute weekly we do include the current status of all the newgTLDs.  They don't show up in the maps, of course, but do appear in the accompanying CSV files.  So far I have just indicated when they have a "DS in Root" which is easy to determine from sites like Rick Lamb's https://rick.eng.br/dnssecstat/
> The question is how to know when to move them to "Operational" status meaning that they are accepting signed delegations from registrars/registrants.  Really the only way to know this is to contact or watch each registry somehow... and there are too many of them for me to do that.
> It was pointed out to me in Singapore by Duane Wessels that all newgTLDs have to use the Centralized Zone Data Service (CZDS)[2] and that someone ought to be able to query the CZDS and come up with a site showing which domains have signed domains.
> It turns out that someone is already sort of doing this at this site: http://ntldstats.com/  where we learn the fact that of 486,070 registered newgTLD domains, only a whopping 915 of them are signed. :-(     
> If you go onto this specific page, though, http://ntldstats.com/tld , you can see how many signed domains are under each of the newgTLDs.  I would not have guessed that the order would be .TIPS, .TATTOO, .SEXY and .EMAIL.
> Anyway, my thinking is to designate a newgTLD as "Operational" in the maps database once it passes some number of signed domains in a list like the one on this site.  Because there may be some experimental or operational domains that could be signed by the registry before making it available to all, I don't think the existence of 1 or 3 domains may be enough to say "Operational".  Part of me says perhaps "5"... or maybe 10 just to be safe.
> What do you think of that as a mechanism?  Do you think it would be fair to list a newgTLD as "Operational" when it has, say, 10 or more signed domains inside the TLD?
> Or does anyone have another suggestion?
> Thoughts and comments are appreciated.
> Thanks,
> Dan
> [1] http://www.internetsociety.org/deploy360/dnssec/maps/
> [2] http://newgtlds.icann.org/en/program-status/czds
> --
> Dan York
> Senior Content Strategist, Internet Society
> york at isoc.org   +1-802-735-1624
> Jabber: york at jabber.isoc.org 
> Skype: danyork   http://twitter.com/danyork
> http://www.internetsociety.org/deploy360/ 
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20140415/321a2d2f/attachment.html>

More information about the dnssec-coord mailing list