CircleID

FYI, the DNSSEC-Tools project (www.dnssec-tools.org) already has a security aware browser (firefox), email reader and other applications…

Very interesting article. I think that for many of the reasons you list, Paul Vixie and ISC were working on DLV.

But recently the F Root/NeuStar announcement came out. By inserting authoritative serves inside major ISPs—the DNS Shield—don't you get some of the benefits of DNSSEC? Not for everyone of course, but for the customers of NeuStar/UltraDNS?

Registry operators who would have the responsibility for doing serious DNSSEC work - and hence incur a burden of cost - cannot see a way to make additional revenue.

Ron, I manage a registry, and must share with you that the reason suggested above is not accurate in the least.  Implementing DNSSEC is a fundamental security initiative, not a revenue initiative.  In my view, registries manage a public trust, and had better work to implement appropriate measures to secure core infrastructure.

The problem we have faced is complete apathy from both network operators and registrars, who together occupy a significant part of the value chain.  They, in turn, say that there is no perceived demand from the end-users.

That is why I am a proponent of branding DNSSEC, into something recognizable and accessible to a non-techie.  Many years ago, someone clever decided to market the "lock" on the browser, not SSL - and it seems to have worked into becoming a mainstream demand.

-Ram

Ram:
It seems to me that we may be in danger of violent agreement!
To egregiously simplify there are two registry operator models - the "act of faith" model (to which Sweden, RIPE and others belong) and let's call it the user responsive model (cynics may term it the commercial model) who will implement DNSSEC if they perceive a user demand - which I agree is entirely lacking at this time.
I tried in the article to address why, given the real and present dangers, user demand is not present and concluded that - given the current DNS infrastructure landscape - domain owners cannot guarantee end-user integrity of their domain data and until this issue is addressed domain owner demand will not follow. For sure there are other issues, such as domain-owner education, which will contribute to the total equation.
The standards as currently written do allow for end-user domain data integrity but to achieve this objective may require a fairly radical overhaul of the way DNS data is delivered to an end-user application (say a browser). The tools and packaging being developed and experimented with at UNBOUND and www.dnssec-tools.org (thanks to Wes for the link) I think point the way forward.
However, the packaged DNSSEC delivery vehicle is as you point out best accomplished by a simple confidence-inspiring button or symbol easily recognised by an end-user.
If the current DNS hierarchy does not embrace the end-user problem some other organization(s) will. Those organization(s) will become very powerful, by being sited in a controlling position, from which they can leverage all kinds of benefits - one of which may be to remove any possibility of future value-added from the current operators.

Ron, just to give you a little hope that things are starting to move (slowly).

.cz and .0.2.4.e164.arpa registry is going DNSSEC next year (most probably I.Q-II.Q).  Unfortunately we are too busy this year.

Ondrej