[Discuss] free SSL certs from the EFF

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Bill Horne
> 
> On 12/7/2014 2:57 PM, Richard Pieri wrote:
> > A few days ago Ed posited that we'll get there someday. Truth is,
> > we've been there for some time. With DNSCurve and DNSCrypt we have
> > exactly the kinds of encrypted DNS service that he called for. Why
> > haven't they been widely adopted? I figure it's a "Paul Vixie, yes!
> > DJB, no!" issue.
> 
> More likely, an "Oh my aching back! The IT crew wants more money again!"
> issue. :-(

There's no reason the IT people should need any money to do DNSSEC.

It's just like https; no reason not to do it.  Takes a few minutes to set up - and I'm not sure if you have to pay somebody for a key or something.

It's also relatively new.  Based on the other thread "DNSSEC," it sounds like RFC 3597 since 2003 is necessary in order for DNSSEC not to be broken by old relays.  I wish I could say I didn't know of any 11-year old relays in the field.  Effectively, it all began in 2010 - so it's only the last 4 years that there's any hope of this being useful to end clients.

Right now, godaddy charges a premium to support DNSSEC.  Namecheap doesn't yet support it.  Route53 doesn't support it.

So why isn't it more popular yet?  That question is pretty solidly answered now...  Not to mention, endpoints don't generally support it yet.

Based on everything I've read and written in the last couple of weeks on this, I think the world is ready to start seeing DNSSEC deployed and supported more.  So please continue making noise and demanding it from your registrars and dns providers!  (Both your registrar and your dns provider must support it.)