About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-wg] NTIA and RIPE

  • To: Edward Lewis <Ed.Lewis@localhost
  • From: Patrik Fältström paf@localhost
  • Date: Thu, 30 Oct 2008 08:05:55 +0400
  • Authentication-results: ams-dkim-1; header.From=paf@localhost dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
  • Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4551; t=1225339558; x=1226203558; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=paf@localhost z=From:=20=3D?ISO-8859-1?Q?Patrik_F=3DE4ltstr=3DF6m?=3D=20<p af@localhost |Subject:=20Re=3A=20[dns-wg]=20NTIA=20and=20RIPE |Sender:=20; bh=w8RyIV0WVYQZfUy3Ulxd9aClIBrLj0gBq4gfOM0y1KY=; b=OubANgBVhokN3IzRcA4LDSJY1G4yjHylKfAvYmpbqhwb9/gEn2b3yYWeoZ 84frPMxcq2QAVpgRYnAfC2THyir2Y3tNtLf9hM8Xfp+piTpRXMcsuaXp4bKv tTQKvzHLm7;
On 29 okt 2008, at 19.30, Edward Lewis wrote:
Regardless of my personally agreeing with such a statement or not, here are my reactions to some of the bullets. 

Let me clarify what discussion lead to each one of them.


At 15:01 +0400 10/29/08, Patrik Fältström wrote:


B - The addition of DNSSEC to the root zone must be recognised as a
global initiative.


I'm unclear on the intent of the B statement.  See my comment on E.
Running the root zone is something that have impact on everyone. Not only organisations and individuals in the USA. This include of course an urge to NTIA to take comments from entities from abroad into consideration, just like comments from entities within the USA.
E - Any procedural changes introduced by DNSSEC should be aligned with the process for coordinating changes to and the distribution of the root zone.
In some interpretations of B & E, these two could be conflicting. I.e., B implies that the current state of root zone management is too centered in the US, E evokes a message encouraging the status quo.
E say that DNSSEC management must be in sync with management of the root zone. People today trust the DNS given the hierarchy we have in the namespace with IANA at the root. DNSSEC should be in sync with that.
If that is changed (we all know about the JPA, complaints on US Gov etc etc), then also DNSSEC processes should be changed. I.e. after adding DNSSEC to the way we do management of the root zone today (including some potential changes), we should still only have one process for the root zone management. Not one for DNSSEC and one for the root zone. It is one. "There can only be one!" ;-)
Mind you - I am not commenting on B or E, but my reading of the two leaves come confusion in my mind. Perhaps I am misunderstanding B and/or E as it is presented here. 

Understood. It could be confusing.
F - Policies and processes for signing the root zone should make it easy 
for TLDs to participate.
As someone employed by a TLD registry, it's not clear to me how or why such rather internal matters of the root zone matter to my job. Again, not saying this is a bad statement, but it begs for more detail or direction.
I am not saying that the policies and processes for signing the root should be closed to the public. I just don't see the relevance to the TLD.
People here recognized that when one talk about "trust" and DNSSEC people often talk about the trust the resolver operator have on the trust anchor. One forget to talk about the trust a TLD operator have to have on the root zone management. They have to trust the process so that they publish their DS. Further, they today make changes according to a specific process (via IANA etc), that they to some degree "trust". Adding DNSSEC must take that into consideration. How easy/ hard it is for TLDs to participate.
J - The organisation that creates the zone file must hold the private part 
of the ZSK.
My guess is that the intention in J is to say "the org that creates the zone file is the sole possessor of the private ZSK(s) and *performs the signing function*." Otherwise it doesn't matter if the creator has the key at all. 

Ok. Thanks!


K - Changes to the entities and roles in the signing process must not
require a change of keys.
I technically disagree with that, if there is a change in the entity performing the zone signing, the private key material should not have to be transferred out in the transition. The private key material of concern here is the ZSK, not the KSK. 

People here said two things to me:
a) It would be good if change of ZSK or KSK operator would NOT imply a silent period or _VERY_ complicated key rollover.
b) If the keys are contained in hardware (say 3 HSM), then a transition from one holder to another could be made by physically carrying one of the HSM to the new operator. Tests can be done. Then when those tests are positive, the two other HSM can be carried away. When that is done and things work, then a key rollover process can start as normal.
This and other things lead me to add text like the one above. "Must not" is probably too strong though. 

   Patrik
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | Copyright Statement
RIPE.NET Homepage LIR Portal RIPE Community