For your information. I took the liberty to raise awareness of DNSSEC
with the Broadband Forum. They are currently updating the minimal
specifications of the consumer grade network devices, like DSL modems
and routers, to support IPv6. I pointed out it may be the right time to
think about DNSSEC, too.

I think it is important for us, the Internet users at-large, to be
confident that the next time we upgrade/replace our network equipement
at home we will not have to worry about possible incompatibilities with
DNSSEC.

More information about the Broadband Forum at http://www.broadband-forum.org

Patrick

-------- Original Message --------
Subject: RE: Comments on TR-124 and PD-192_02
Date: Wed, 22 Jul 2009 10:29:17 -0500
From: Heather Kirksey
To:
References: <21dd91bdc77cff699747087570d9a466@localhost>

Patrick,

Thanks very much for your feedback. This specific update to TR-124
is only scoped to include changes required for the support of IPv6
in the RG (why we sent the document to v6ops), but we do have a
parallel effort focused on updates in general to the gateway
requirements. I will pass this along as input to the champions
of that effort.

Thanks,
Heather

-----Original Message-----
From: Patrick Vande Walle [mailto:patrick@vande-walle.eu]
Sent: Tuesday, July 21, 2009 5:52 AM
To: Heather Kirksey
Subject: Comments on TR-124 and PD-192_02

Dear Heather,

I read with interest the PD-192_02 document that was forwarded to the
v6ops@ops.ietf.org and wanted to draw your attention on a related subject.

You are aware that the Internet community plans to deploy DNSSEC over the
next few years. At the same time, several recent studies have demonstrated
that not all SOHO CPE devices are able to transparently pass on - or act as
resolvers for - DNSSEC queries. The success of a globally secure DNS system
is tightly linked to its support in end user equipment. It is only when the
whole chain of the DNS resolving process will be security-aware, from the
root down to the client computer, that we will see the benefits of
increased security in DNS queries. As an example, Microsoft has announced
that the forthcoming version of its operating system will feature a
DNSSEC-aware stub resolver.

Currently the LAN.DNS requirements in both TR-124 and PD-192 do not
explicitly state such support is needed, neither do they contain a
reference to RFC 2535.

Home gateways being devices that consumers do not replace often, I think it
would be an oversight to put on the market brand new devices supporting
IPv6, but missing support of the 10 year old DNSSEC specification.

Sincerely,

Patrick Vande Walle
Vice-Chair
DNS security WG
ICANN At-Large Advisory Committee

--
Patrick Vande Walle
Blog: http://patrick.vande-walle.eu
Twitter: http://twitter.vande-walle.eu

_______________________________________________
Dns-security-wg mailing list
Dns-security-wg@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/dns-security-wg_atlarge-...