Well
I have no doubt that if I sat down and needed to deploy this for a single domain, I could probably get it done in a day if I had nothing else to do. But as someone who runs their own domains, has their own servers, and plays about with DNS as required (e.g. I IPv6 enabled my domains one day when I was bored, proved my ownership of a domain via TXT cookies, implemented my own SPF records etc.), I can safely say that I'm still not entirely sure what the hell I'm doing when it comes to DNSSEC, or whether I'm doing it right, or whether what I do would make it any more secure.
There seems to be a complete lack of readable documentation - if it isn't RFC-level, then it's just a checklist of commands to blindly run in Ubuntu/Bind (and no clear advice on what to publish and what not, and what parts of those things are private and should be deleted/stored securely, etc.). And at the end of the day, I have little idea exactly how, say, .org.uk is magically authenticating my domains/nameservers via a record I publish on said nameserver. I've a mathematical degree, for God's sake (albeit a decade ago), and studied cryptography but the various records, signings, etc. aren't immediately enlightening me on how to deploy DNSSEC at all, and certainly not how to know whether I've done it properly.
And everything seems to want to use bind tools. Shockingly, most people don't run their own bind nameserver for their domain - and literally just want to be given a DS record they can publish, or ask their host to publish for them. Then you have the question of updates and expiration. Just how often, exactly, am I going to be required (either automatically or manually) to push our new DS records because something, somewhere expired? And if I don't update them properly, DNSSEC-enabled servers will see my domain as "untrusted" - whereas if I *don't* publish anything at all, I can sit quietly in a greylist somewhere and never have a problem until everything is DNSSEC and people decide to actually require it?
So until DNSSEC is literally "built-in" to domains and domain-hosting packages somehow, it'll be a long while before it meets mass-adoption. Hell, people aren't using IPv6 and that's simple enough now and explicitly supported in all major operating systems (not to mention a requirement of things like DOCSIS 3 and some mobile technologies).
DNSSEC proponents really need to think not of ISP's and mass-domain-hosts (who should have people more than skilled enough to do this, and a business reason to ensure it stays updated), but of the people who own domains (who may be reliant on those hosts/ISP's, running their own VPS, etc.) who literally just want a checkbox procedure to DNSSEC-enable themselves. At the moment, it seems far too complex and uncertain for a five-minute deployment to actually be possible and help the domain owner.
Compare to SPF, for example, where - yes - you can break email reception/sending for your domain if you do it wrong but it literally takes minutes to get it right, or correct a mistake, and then you never have to worry again until you change the servers receiving/sending your email. Compare to IPv6 where IPv6 day pretty much proved that you aren't going to break anything by deploying it and a five minute enabling process is available (and the only issues are having another avenue of entry to secure, enabling IPv6 in daemons, firewalls, etc.).
DNSSEC is a bit of a hideous nightmare at the moment, so no-one is touching it, so Nominet really have to push things like this. Until the time that such tick-a-box functionality is available to someone who owns a domain through every host/ISP, does anyone have a simple run-through, that isn't bind-specific, explains what's going on and explains which bits of the process are secret, should be published, how and who to and how often? At the moment, it just seems one big modern mess.
Biting the hand that feeds IT
