From anandb at ripe.net Wed Oct 1 16:42:00 2008 From: anandb at ripe.net (Anand Buddhdev) Date: Wed, 01 Oct 2008 16:42:00 +0200 Subject: [dns-wg] Reverse DNS lameness alerts Message-ID: <48E38C38.2010706@ripe.net> [Apologies for duplicate emails] Dear Colleagues, Some of you received email messages last month from the RIPE NCC with alerts about lame DNS servers. These messages were generated as part of the RIPE NCC's DNS lameness project. Unfortunately, the alerts were not entirely correct, and showed all the servers of some reverse zones as lame. This was caused by programming errors in the software that produced the messages. We have identified these errors, and we are correcting them. We are also introducing additional tests and safeguards to improve the quality of our DNS lameness measurements. For more information on the RIPE NCC's DNS lameness project, please see: http://www.ripe.net/info/stats/dns-lameness/ Regards, Anand Buddhdev DNS Services Manager, RIPE NCC From jim at rfc1035.com Thu Oct 9 16:47:05 2008 From: jim at rfc1035.com (Jim Reid) Date: Thu, 9 Oct 2008 15:47:05 +0100 Subject: [dns-wg] NTIA consultation on DNSSEC Message-ID: Colleagues, the NTIA (the bit of DoC which oversees changes to the root zone) has just announced a consultation on the deployment of DNSSEC. I quote: "Commerce?s National Telecommunications and Information Administration (NTIA) today issued a Notice of Inquiry seeking public comments regarding the deployment of Domain Name and Addressing System Security Extensions (DNSSEC) into the Internet?s DNS infrastructure, including the authoritative root zone. " Further details are at: http://www.ntia.doc.gov/press/2008/DNSSEC_081009.html . Perhaps the WG would like to formulate a response to this consultation? I would also like the WG to give an indication if we should allocate some time at RIPE57 to discuss this consultation and any possible response to it. From jaap at NLnetLabs.nl Thu Oct 9 16:56:34 2008 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Thu, 09 Oct 2008 16:56:34 +0200 Subject: [dns-wg] NTIA consultation on DNSSEC In-Reply-To: Your message of Thu, 09 Oct 2008 15:47:05 +0100. Message-ID: <200810091456.m99EuYBG059757@bartok.nlnetlabs.nl> Further details are at: http://www.ntia.doc.gov/press/2008/DNSSEC_081009.html. The URL http://www.ntia.doc.gov/DNS/DNSSEC.html gives links to all the documents. jaap From jim at rfc1035.com Wed Oct 15 11:01:14 2008 From: jim at rfc1035.com (Jim Reid) Date: Wed, 15 Oct 2008 10:01:14 +0100 Subject: [dns-wg] Agenda for RIPE 57 Message-ID: <774B537A-9A84-43D3-9093-948BB3A4298A@rfc1035.com> Colleagues, here's the agenda for the Dubai RIPE meeting. I hope to see you there! Tuesday Afternoon Administrivia (5 mins) Review of Action Items (10 mins) ICANN/IANA Update (15 mins) Kim Davies, IANA Discussion on NTIA DNSSEC NoI (20 mins) Etisalat DNS Operational Experiences (10 mins) Abdulla Bushlaibi, Etisalat A description of Etisalat's experience in the field of implementing DNS services, across different type of services and requirements. It explains past, present and future plans for DNS architecture in Etisalat, considering network convergence as well as expansion. It describes problems and challenges on the way and some solutions. A versatile platform for DNS metrics with its (30 mins) application to IPv6 penetration Stephane Bortzmeyer, AFNIC AFNIC is developing a DNS-based measurements & statistics project in order to monitor the evolution of an open list of technical activities (IPv6, DNSSEC, EDNS0 support, SPF & DKIM deployment...). The project started with IPv6 penetration measurements and an overview of the results based on collected DNS data from .fr is presented. Wednesday Morning IETF WG news update (15 mins) Lars-Johan Liman, Autonomica NCC Update (15 mins) Anand Buddhdev, RIPE NCC (TBC) Discussion on stale domain objects (15 mins) Peter Koch, DENIC .org's Next Steps with DNSSEC (20 mins) Lance Wolak, PIR This described how .ORG has initiated an industry coalition to streamline the implementation of DNSSEC through the collaborative development of specific educational material, common tools and implementation guides. IDN GCC trial project (15 mins) Amani Mohammed Bin Sewaif, Etisalat The presentation will focus on how the DNS aspects of the IDN trial project that has been implemented among the GCC countries. It explains the initial discussion/requirements for the DNS architecture to serve the trial,what approaches were considered and the final setup. It will briefly show how it works, and elaborate on the tools developed for the community as well as point to other resources/work done in this project. Followup on NTIA DNSSEC NoI (5 mins) AOB/General Discussion (5 mins) From jim at rfc1035.com Wed Oct 15 11:12:17 2008 From: jim at rfc1035.com (Jim Reid) Date: Wed, 15 Oct 2008 10:12:17 +0100 Subject: [dns-wg] NTIA NoI: does anyone care? Message-ID: So far there has been no discussion on the list about the NTIA proposals about getting the root signed. I would have hoped someone would have said something by now. Sigh. Please try to find some time to look at the NTIA's suggestions and if possible send your comments to the list. I think this WG has an obligation to make some sort of "official" response to the NTIA's consultation. After all, we played our part to get the ball rolling by producing the "sign the root" letter to ICANN at the Tallinn meeting. So now that there are some concrete proposals for consideration, I feel the WG should look at them and respond. I would also welcome suggestions from WG members about how to stimulate a discussion here about the NTIA proposals. Although time has been set aside in the RIPE57 agenda, that won't be enough. The majority of people on this list won't be in Dubai. And besides, it's really the list that should decide the WG's opinion and what action it should take. Over to you.... From fweimer at bfk.de Wed Oct 15 11:17:39 2008 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 15 Oct 2008 11:17:39 +0200 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: (Jim Reid's message of "Wed, 15 Oct 2008 10:12:17 +0100") References: Message-ID: <82iqruw72k.fsf@mid.bfk.de> * Jim Reid: > Please try to find some time to look at the NTIA's suggestions and if > possible send your comments to the list. I asked them a procedural question about the comment process and haven't received a reply. Maybe non-citizens aren't eligible to comment. 8-/ -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From lee at cnnic.cn Wed Oct 15 14:44:12 2008 From: lee at cnnic.cn (Xiaodong Lee) Date: Wed, 15 Oct 2008 20:44:12 +0800 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <424062049.32256@cnnic.cn> References: <424062049.32256@cnnic.cn> Message-ID: <424074668.08227@cnnic.cn> As I know, if doing root server signing, there are some problems for name servers with BIND software to protect their zone file. -- -- Xiaodong LEE [The best answer is doing] +86-10-58813020 mailto:lee at cnnic.cn http://lixiaodong.cn ? 2008-10-15???5:12? Jim Reid ??? > So far there has been no discussion on the list about the NTIA > proposals about getting the root signed. I would have hoped someone > would have said something by now. Sigh. > > Please try to find some time to look at the NTIA's suggestions and > if possible send your comments to the list. I think this WG has an > obligation to make some sort of "official" response to the NTIA's > consultation. After all, we played our part to get the ball rolling > by producing the "sign the root" letter to ICANN at the Tallinn > meeting. So now that there are some concrete proposals for > consideration, I feel the WG should look at them and respond. > > I would also welcome suggestions from WG members about how to > stimulate a discussion here about the NTIA proposals. Although time > has been set aside in the RIPE57 agenda, that won't be enough. The > majority of people on this list won't be in Dubai. And besides, it's > really the list that should decide the WG's opinion and what action > it should take. > > Over to you.... > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at rfc1035.com Wed Oct 15 14:56:14 2008 From: jim at rfc1035.com (Jim Reid) Date: Wed, 15 Oct 2008 13:56:14 +0100 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <424074668.08227@cnnic.cn> References: <424062049.32256@cnnic.cn> <424074668.08227@cnnic.cn> Message-ID: On Oct 15, 2008, at 13:44, Xiaodong Lee wrote: > As I know, if doing root server signing, there are some problems for > name servers with BIND software to protect their zone file. Could you expand on this? What are these problems? I'm not sure I understand how signing the root would have an impact on how some random BIND administrator would protect the zones they manage. Or are you referring to the issues around embedding the trust anchor for the root into named.conf files? From drc at virtualized.org Wed Oct 15 16:10:34 2008 From: drc at virtualized.org (David Conrad) Date: Wed, 15 Oct 2008 07:10:34 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <82iqruw72k.fsf@mid.bfk.de> References: <82iqruw72k.fsf@mid.bfk.de> Message-ID: <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> On Oct 15, 2008, at 2:17 AM, Florian Weimer wrote: >> Please try to find some time to look at the NTIA's suggestions and if >> possible send your comments to the list. > > I asked them a procedural question about the comment process and > haven't received a reply. Maybe non-citizens aren't eligible to > comment. 8-/ As far as I am aware, anyone and everyone is eligible to comment. You just have to follow the submission rules (otherwise your input will likely be ignored). You will note on http://www.ntia.doc.gov/DNS/DNSSEC.html that as of today, 8 people have submitted comments. Given the international nature of this particular situation, I personally think it particularly important that folks outside the US provide _substantive_ input (that is "me too! is likely not helpful) on this particular topic. Regards, -drc From Ed.Lewis at neustar.biz Wed Oct 15 16:41:58 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Wed, 15 Oct 2008 10:41:58 -0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <82iqruw72k.fsf@mid.bfk.de> References: <82iqruw72k.fsf@mid.bfk.de> Message-ID: At 11:17 +0200 10/15/08, Florian Weimer wrote: >> Please try to find some time to look at the NTIA's suggestions and if >> possible send your comments to the list. I don't know that a discussion here will do more than just be an exchange amongst us chickens. Unless the WG is trying to send an organized, coordinated message, comments are better directed at the address mentioned in the NoI. >I asked them a procedural question about the comment process and >haven't received a reply. Maybe non-citizens aren't eligible to >comment. 8-/ Perhaps if you asked the question here, one of us may know the answer. The procedure is quite simple. Remember, they are just asking questions here, not making decisions, determinations, rulings, etc. A "NoI" is a Notice of Inquiry. They do have quite an extensive list of questions in place - a help towards knowing how to address this, but they don't "require" any respondent to address them. (Looking at other comments - where does it sound like you need to be a US citizen? Anyone can send postal mail/fax/email.) Here is what they are asking (for): The Department seeks comments on DNSSEC deployment and a signed root generally, as well as specific details, comments, and evaluations of the various process flow models proposed or other process flow models that may otherwise be technically feasible to implement DNSSEC at the root zone level. Please include... Here is where to send your comments: Written comments may be submitted by mail to Fiona Alexander, Associate Administrator, Office of International Affairs, National Telecommunications and Information Administration, U.S. Department of Commerce, 1401 Constitution Avenue, N.W., Room 4701, Washington, DC 20230. Written comments may also be sent by facsimile to (202) 482-1865 or electronically via electronic mail to DNSSEC at ntia.doc.gov. And here is the "deadline:" Comments are due on November 24, 2008 -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From Ed.Lewis at neustar.biz Wed Oct 15 16:44:34 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Wed, 15 Oct 2008 10:44:34 -0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> Message-ID: At 7:10 -0700 10/15/08, David Conrad wrote: >(that is "me too! is likely not helpful) Amen, brother. Folks getting these replies do know when they are subject to "ballot box stuffing" when they are trying to gather ideas. One brilliant answer clobbers a thousand "me too's" to one other opinion. This is why I think energy on this is better spent replying to the NTIA than here. 'Course, a discussion here might help folks prepare responses to the NoI, but, the discussion here won't be considered by the NTIA. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From bmanning at vacation.karoshi.com Wed Oct 15 17:05:35 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 15 Oct 2008 15:05:35 +0000 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <82iqruw72k.fsf@mid.bfk.de> References: <82iqruw72k.fsf@mid.bfk.de> Message-ID: <20081015150535.GB4174@vacation.karoshi.com.> On Wed, Oct 15, 2008 at 11:17:39AM +0200, Florian Weimer wrote: > * Jim Reid: > > > Please try to find some time to look at the NTIA's suggestions and if > > possible send your comments to the list. > > I asked them a procedural question about the comment process and > haven't received a reply. Maybe non-citizens aren't eligible to > comment. 8-/ they are allowed and encouraged. > > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstra_e 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 > From jim at rfc1035.com Wed Oct 15 17:12:54 2008 From: jim at rfc1035.com (Jim Reid) Date: Wed, 15 Oct 2008 16:12:54 +0100 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> Message-ID: On Oct 15, 2008, at 15:41, Edward Lewis wrote: > I don't know that a discussion here will do more than just be an > exchange amongst us chickens. Unless the WG is trying to send an > organized, coordinated message, comments are better directed at the > address mentioned in the NoI. Ed, thanks for the comments and for correcting some potential misunderstandings. I had hoped the intention of a discussion here was already clear. Oh well. So here it is again: IMO the WG has an implicit obligation to make some sort of "official" response to the NTIA. [After all, it could be argued that the Tallinn "sign the root" declaration helped get ICANN and NTIA to where they are today.] So I would like the WG to discuss the various proposals in the NTIA NoI and hopefully reach a technical consensus around that. Maybe we consider one of these approaches acceptable. Or perhaps one of them is unacceptable. Or somehere in between, who knows? And if it's not possible to get a technical consensus from the WG by the deadline, then I hope we can at least agree on some common statement that can be submitted in time: perhaps something neutral but encouraging like "we welcome the NTIA NoI as a positive step towards getting the root signed". However even that depends on the WG discussing the subject. Or if there's no interest or we feel this topic isn't any business of this WG, we can just give up. Which again needs the members of the list to speak up. So, to back up a bit, let me ask the WG some direct questions: [1] Do we care about the NTIA NoI? [2] Should the WG (try to) formulate a response to that NoI? [3] If the answer to [2] is no, why not? [4] If the answer to [2] is yes, what sort of response should the WG try to send? [5] If that response has a technical component, how do we reach a consensus? From bmanning at vacation.karoshi.com Wed Oct 15 17:05:04 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 15 Oct 2008 15:05:04 +0000 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: Message-ID: <20081015150504.GA4174@vacation.karoshi.com.> On Wed, Oct 15, 2008 at 10:12:17AM +0100, Jim Reid wrote: > So far there has been no discussion on the list about the NTIA > proposals about getting the root signed. I would have hoped someone > would have said something by now. Sigh. > > Over to you.... rough take: #4 is touted as the offical ICANN postion #5 is touted as the offical Verisign postion both ICANN and Verisign are claiming that placing all the zone creation, change and publication should be with the same organization that creates, hold and uses the digital signatures attesting to the integrity of the zone data. in local parlance, this is the functional equivalence of the fox watching the hen house. options #3 and #6 move the key creation & maintainance along w/ the signing of the zone data to a third party. this type of practice is common, where an auditor or notary validates the presented data. option #6 has the attribute of not having any significant real world deployment - the M of N code and operational practice may not be ready for adoption for such a system. So my general leaning is toward #3 - it provides increased diversity/oversight of the process. --bill From kim.davies at icann.org Wed Oct 15 17:36:09 2008 From: kim.davies at icann.org (Kim Davies) Date: Wed, 15 Oct 2008 08:36:09 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <20081015150504.GA4174@vacation.karoshi.com.> Message-ID: On 15/10/08 8:05 AM, "bmanning at vacation.karoshi.com" wrote: > > both ICANN and Verisign are claiming that placing all > the zone creation, change and publication should be > with the same organization that creates, hold and > uses the digital signatures attesting to the integrity > of the zone data. > > in local parlance, this is the functional equivalence > of the fox watching the hen house. Sorry Bill, but I don't see how this analogy works at all. How does an uninvolved third party attest the integrity of the data in the root zone? In a DNSSEC-signed world, the ICANN/VeriSign/NTIA troika would presumably still be responsible for the content of the root zone. If we are talking about analogies, I want the md5sum or PGP signature testifying a software package is not tampered with to be generated as close as possible to when the author created the tar file, not by third parties after it had passed through multiple hands. kim From bmanning at vacation.karoshi.com Wed Oct 15 18:09:22 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 15 Oct 2008 16:09:22 +0000 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <20081015150504.GA4174@vacation.karoshi.com.> Message-ID: <20081015160922.GA4795@vacation.karoshi.com.> On Wed, Oct 15, 2008 at 08:36:09AM -0700, Kim Davies wrote: > On 15/10/08 8:05 AM, "bmanning at vacation.karoshi.com" > wrote: > > > > both ICANN and Verisign are claiming that placing all > > the zone creation, change and publication should be > > with the same organization that creates, hold and > > uses the digital signatures attesting to the integrity > > of the zone data. > > > > in local parlance, this is the functional equivalence > > of the fox watching the hen house. > > Sorry Bill, but I don't see how this analogy works at all. How does an > uninvolved third party attest the integrity of the data in the root zone? In > a DNSSEC-signed world, the ICANN/VeriSign/NTIA troika would presumably still > be responsible for the content of the root zone. thats ok, i said it was local. if you are not familiar with the roll of company/security auditors or the use of notory publics, then perhaps knowledge in that area would be helpful in understanding my concerns. > If we are talking about analogies, I want the md5sum or PGP signature > testifying a software package is not tampered with to be generated as close > as possible to when the author created the tar file, not by third parties > after it had passed through multiple hands. nothing stops VSGN from continuing to provide the MD5sum on the data it ships. > kim --bill From dburk at burkov.aha.ru Wed Oct 15 18:41:56 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Wed, 15 Oct 2008 20:41:56 +0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: Message-ID: <48F61D54.1030602@burkov.aha.ru> Jim Reid wrote: Jim, for me it seems - that it will raise governance issues and it is not technical problem - but more political and legal issue. I really worry about potential consequences of all these intentions to deploy on the net some digital signatures based techniques (aka DNSSEC, sidr) It is very risky and can provocate Internet fragmentation. We can try to improve security and stability - but in result we can get totally different Internet - it is like as some kind of Pandora box. Dmitry > So far there has been no discussion on the list about the NTIA > proposals about getting the root signed. I would have hoped someone > would have said something by now. Sigh. > > Please try to find some time to look at the NTIA's suggestions and if > possible send your comments to the list. I think this WG has an > obligation to make some sort of "official" response to the NTIA's > consultation. After all, we played our part to get the ball rolling by > producing the "sign the root" letter to ICANN at the Tallinn meeting. > So now that there are some concrete proposals for consideration, I > feel the WG should look at them and respond. > > I would also welcome suggestions from WG members about how to > stimulate a discussion here about the NTIA proposals. Although time > has been set aside in the RIPE57 agenda, that won't be enough. The > majority of people on this list won't be in Dubai. And besides, it's > really the list that should decide the WG's opinion and what action it > should take. > > Over to you.... > From drc at virtualized.org Wed Oct 15 21:44:40 2008 From: drc at virtualized.org (David Conrad) Date: Wed, 15 Oct 2008 12:44:40 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <20081015150504.GA4174@vacation.karoshi.com.> References: <20081015150504.GA4174@vacation.karoshi.com.> Message-ID: <78110726-53F6-4B6B-9458-15A59878DA97@virtualized.org> Bill, On Oct 15, 2008, at 8:05 AM, bmanning at vacation.karoshi.com wrote: > both ICANN and Verisign are claiming that placing all > the zone creation, change and publication should be > with the same organization that creates, hold and > uses the digital signatures attesting to the integrity > of the zone data. > > in local parlance, this is the functional equivalence > of the fox watching the hen house. This is the kind of FUD that really annoys me. It is attributing some magical quality to zone signing that doesn't actually exist. In the ICANN-signs option, the only real change is that IANA would generate the (signed) zone, with VeriSign publishing the zone after authorization from DoC. In the VeriSign-signs option, the only real change is that VeriSign signs the zone after being authorized to make the zone changes by DoC. In both cases, all zone changes must be: a) vetted by IANA staff b) authorized by DoC c) published by VeriSign prior to getting out to the root servers. How _exactly_ does adding signing make this "the functional equivalen[t] of the fox watching the hen house"? Once more with feeling: the ONLY thing signing the root zone does is to allow for the contents of that zone to be validated. It hides no information. It provides no new mechanisms for subterfuge. Regards, -drc From drc at virtualized.org Wed Oct 15 21:53:39 2008 From: drc at virtualized.org (David Conrad) Date: Wed, 15 Oct 2008 12:53:39 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <20081015160922.GA4795@vacation.karoshi.com.> References: <20081015150504.GA4174@vacation.karoshi.com.> <20081015160922.GA4795@vacation.karoshi.com.> Message-ID: <10A32247-26B2-41C1-A0EA-3960E6F1EB88@virtualized.org> Bill, On Oct 15, 2008, at 9:09 AM, bmanning at vacation.karoshi.com wrote: > thats ok, i said it was local. > if you are not familiar with the roll of company/security auditors > or the use of notory publics, then perhaps knowledge in that area > would be helpful in understanding my concerns. If you are not familiar with the way root zone changes are introduced, then perhaps knowledge in that area would be helpful in understanding how your concerns are misplaced. NTIA provides the roll of auditor. That would not be changing, regardless of who signs the root. DNSSEC-signing the root is a purely technical action that allows one to ensure the content of the root zone has not been modified from the point it was signed to the point where it is viewed. It does nothing more. It grants no additional levers of power or control. If you feel otherwise, please provide explicit details. Getting the root signed has been derailed by exactly this sort of baseless, non-technical politicization. It's way past time to move forward. Regards, -drc From bmanning at vacation.karoshi.com Wed Oct 15 22:48:59 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Wed, 15 Oct 2008 20:48:59 +0000 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <10A32247-26B2-41C1-A0EA-3960E6F1EB88@virtualized.org> References: <20081015150504.GA4174@vacation.karoshi.com.> <20081015160922.GA4795@vacation.karoshi.com.> <10A32247-26B2-41C1-A0EA-3960E6F1EB88@virtualized.org> Message-ID: <20081015204859.GA7382@vacation.karoshi.com.> On Wed, Oct 15, 2008 at 12:53:39PM -0700, David Conrad wrote: > Bill, > > On Oct 15, 2008, at 9:09 AM, bmanning at vacation.karoshi.com wrote: > > thats ok, i said it was local. > > if you are not familiar with the roll of company/security auditors > > or the use of notory publics, then perhaps knowledge in that area > > would be helpful in understanding my concerns. > > If you are not familiar with the way root zone changes are introduced, > then perhaps knowledge in that area would be helpful in understanding > how your concerns are misplaced. thank you for the educational update. based on the published documents from NTIA, it has not changed since I was directly involved. > If you feel otherwise, please provide explicit details. I will be submitting a response to the NoI that will outline my feelings ... explict detail about my feelings are not likely to be included. my reading of the six proffered models had, for me, a couple of clear winners, with one emerging as the clear favorite for adoption in the near term. others, including yourself, clearly have their own biases. i don't expect to convert you to the one true way and it is unlikely that i will suaded by your persausive enticements. > It's way past time to move forward. Indeed. Which is why it is important for each person to review the NoI and provide feedback on the relative strengths and weaknesses in each proposal. end of the day, any of the proposals could work to get the root signed - perhaps as early as this calander year. technical merit may not be the only factor. > Regards, > -drc --bill From denis at ripe.net Thu Oct 16 18:43:45 2008 From: denis at ripe.net (Denis Walker) Date: Thu, 16 Oct 2008 18:43:45 +0200 Subject: [dns-wg] Maintaining DOMAIN objects Message-ID: <48F76F41.8010402@ripe.net> [Apologies for duplicate emails] Dear Colleagues, The RIPE Data Protection Task Force advised the RIPE NCC that all objects in the RIPE Database should be maintained. Maintaining Routing Policy Specification Language (RPSL) objects in the RIPE Database was optional for PERSON, ROLE and DOMAIN objects. All the DOMAIN objects in the RIPE Database are now maintained and protected. As there may have been a possibility to exploit this data if any advance warning had been made, the RIPE NCC did not publicly announce that it was going to add maintainers to unmaintained DOMAIN objects before doing so. For further details of what was done, please see this web page: http://www.ripe.net/db/support/security/domain/syntax.html Regards, Denis Walker Business Analyst RIPE NCC Database Group From paul at xelerance.com Fri Oct 17 16:52:11 2008 From: paul at xelerance.com (Paul Wouters) Date: Fri, 17 Oct 2008 10:52:11 -0400 (EDT) Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <78110726-53F6-4B6B-9458-15A59878DA97@virtualized.org> References: <20081015150504.GA4174@vacation.karoshi.com.> <78110726-53F6-4B6B-9458-15A59878DA97@virtualized.org> Message-ID: On Wed, 15 Oct 2008, David Conrad wrote: > Once more with feeling: the ONLY thing signing the root zone does is to allow > for the contents of that zone to be validated. It hides no information. It > provides no new mechanisms for subterfuge. And indeed, anyone can still decide to add or remove trust anchors by configuring it in your resolver. So country X can decide to use a signed root, while stll removing country Y effectively from their signed root. Paul From Joao_Damas at isc.org Mon Oct 20 15:46:20 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Mon, 20 Oct 2008 15:46:20 +0200 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <48F61D54.1030602@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> Message-ID: <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> This is an argument that has repeated itself for some time now, with few arguments to back it. Perhaps those with doubts about how a signed zone might be wielded as a weapon against some party, would be interested in performing an analysis of what the possible reactions are to such an attempt and compare both the actions and their result to today's situation with an unsigned zone. Then for the extra bonus, analyse the benefits of having a signed zone when it is not being wielded as a weapon (assuming the previous analysis actually finds that possibility to be real) Joao Damas On 15/10/2008, at 18:41, Dmitry Burkov wrote: > Jim Reid wrote: > > Jim, > for me it seems - that it will raise governance issues and it is not > technical problem - but more political and legal issue. > I really worry about potential consequences of all these intentions > to deploy on the net some digital signatures based techniques (aka > DNSSEC, sidr) > It is very risky and can provocate Internet fragmentation. > We can try to improve security and stability - but in result we can > get totally different Internet - it is like as some kind of Pandora > box. > > Dmitry >> So far there has been no discussion on the list about the NTIA >> proposals about getting the root signed. I would have hoped someone >> would have said something by now. Sigh. >> >> Please try to find some time to look at the NTIA's suggestions and >> if possible send your comments to the list. I think this WG has an >> obligation to make some sort of "official" response to the NTIA's >> consultation. After all, we played our part to get the ball rolling >> by producing the "sign the root" letter to ICANN at the Tallinn >> meeting. So now that there are some concrete proposals for >> consideration, I feel the WG should look at them and respond. >> >> I would also welcome suggestions from WG members about how to >> stimulate a discussion here about the NTIA proposals. Although time >> has been set aside in the RIPE57 agenda, that won't be enough. The >> majority of people on this list won't be in Dubai. And besides, >> it's really the list that should decide the WG's opinion and what >> action it should take. >> >> Over to you.... >> > From Joao_Damas at isc.org Mon Oct 20 16:48:40 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Mon, 20 Oct 2008 16:48:40 +0200 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <48FC98DF.2080104@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> Message-ID: <1224D6BC-35A3-42A9-BEF0-4B66DF7A6F93@isc.org> Dmitry, my mail was not technical at all. How does the state of affairs change from today? what are your reaction possibilities and their impact and how do they differ from today's scenario? Does the signing of the root zone actually impede or make harder any of the reactions you would exercise today against, for example, the deletion of a ccTLD from the root zone? is there an analysis of how zone signing changes any of this? Joao On 20/10/2008, at 16:42, Dmitry Burkov wrote: > Joao, > to be realistic - the most probable reaction will be refuse to sign > with all following consequences. > SIDR deployment (as it propsed today) it will be a real problem. > DNSSEC deployment will be less problematic but still a problem as it > will be used in software more and more. > > It also raises an old question about Internet governance and role of > USG in this process as will enforce DoC position. > Some people for years tried to explain root servers stability and > practical independence from any one government now their arguments > will fall down. > In any of NTIA's proposed scheme it will be under one country > regulation and if previously you can imagine partly functional > ccTLDs even if zone was changed - > now if signature will be invalid/recalled (don't know term in > english) it will be more problematic. > > When we begin to use digital signatures for infrastructure - may be, > we miss the point that this tool is just a reflection of some real > world > relations and obligations and based on national laws and other > lawyer stuff. > Putting it on this part of the net we risk to involve all issues > from real world. > > And all benefits which you mentioned and which I understand and > recognize from technical point of view will be non significant. > > regards, > Dmitry > > > Joao Damas ?????: >> This is an argument that has repeated itself for some time now, >> with few arguments to back it. >> >> Perhaps those with doubts about how a signed zone might be wielded >> as a weapon against some party, would be interested in performing >> an analysis of what the possible reactions are to such an attempt >> and compare both the actions and their result to today's situation >> with an unsigned zone. Then for the extra bonus, analyse the >> benefits of having a signed zone when it is not being wielded as a >> weapon (assuming the previous analysis actually finds that >> possibility to be real) >> >> Joao Damas >> >> On 15/10/2008, at 18:41, Dmitry Burkov wrote: >> >>> Jim Reid wrote: >>> >>> Jim, >>> for me it seems - that it will raise governance issues and it is >>> not technical problem - but more political and legal issue. >>> I really worry about potential consequences of all these >>> intentions to deploy on the net some digital signatures based >>> techniques (aka DNSSEC, sidr) >>> It is very risky and can provocate Internet fragmentation. >>> We can try to improve security and stability - but in result we >>> can get totally different Internet - it is like as some kind of >>> Pandora box. >>> >>> Dmitry >>>> So far there has been no discussion on the list about the NTIA >>>> proposals about getting the root signed. I would have hoped >>>> someone would have said something by now. Sigh. >>>> >>>> Please try to find some time to look at the NTIA's suggestions >>>> and if possible send your comments to the list. I think this WG >>>> has an obligation to make some sort of "official" response to the >>>> NTIA's consultation. After all, we played our part to get the >>>> ball rolling by producing the "sign the root" letter to ICANN at >>>> the Tallinn meeting. So now that there are some concrete >>>> proposals for consideration, I feel the WG should look at them >>>> and respond. >>>> >>>> I would also welcome suggestions from WG members about how to >>>> stimulate a discussion here about the NTIA proposals. Although >>>> time has been set aside in the RIPE57 agenda, that won't be >>>> enough. The majority of people on this list won't be in Dubai. >>>> And besides, it's really the list that should decide the WG's >>>> opinion and what action it should take. >>>> >>>> Over to you.... >>>> >>> >> From dburk at burkov.aha.ru Mon Oct 20 17:03:43 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Mon, 20 Oct 2008 19:03:43 +0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <1224D6BC-35A3-42A9-BEF0-4B66DF7A6F93@isc.org> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <1224D6BC-35A3-42A9-BEF0-4B66DF7A6F93@isc.org> Message-ID: <48FC9DCF.1050402@burkov.aha.ru> Joao, not exactly and immediately today. The problem is that new tool will be used in software and especially end-user soft. As it will happen the situation will be changed radically. Or I am madness or something miss. Dmitry Joao Damas ?????: > Dmitry, > my mail was not technical at all. > How does the state of affairs change from today? what are your > reaction possibilities and their impact and how do they differ from > today's scenario? Does the signing of the root zone actually impede or > make harder any of the reactions you would exercise today against, for > example, the deletion of a ccTLD from the root zone? > is there an analysis of how zone signing changes any of this? > > Joao > > > On 20/10/2008, at 16:42, Dmitry Burkov wrote: > >> Joao, >> to be realistic - the most probable reaction will be refuse to sign >> with all following consequences. >> SIDR deployment (as it propsed today) it will be a real problem. >> DNSSEC deployment will be less problematic but still a problem as it >> will be used in software more and more. >> >> It also raises an old question about Internet governance and role of >> USG in this process as will enforce DoC position. >> Some people for years tried to explain root servers stability and >> practical independence from any one government now their arguments >> will fall down. >> In any of NTIA's proposed scheme it will be under one country >> regulation and if previously you can imagine partly functional ccTLDs >> even if zone was changed - >> now if signature will be invalid/recalled (don't know term in >> english) it will be more problematic. >> >> When we begin to use digital signatures for infrastructure - may be, >> we miss the point that this tool is just a reflection of some real world >> relations and obligations and based on national laws and other lawyer >> stuff. >> Putting it on this part of the net we risk to involve all issues from >> real world. >> >> And all benefits which you mentioned and which I understand and >> recognize from technical point of view will be non significant. >> >> regards, >> Dmitry >> >> >> Joao Damas ?????: >>> This is an argument that has repeated itself for some time now, with >>> few arguments to back it. >>> >>> Perhaps those with doubts about how a signed zone might be wielded >>> as a weapon against some party, would be interested in performing an >>> analysis of what the possible reactions are to such an attempt and >>> compare both the actions and their result to today's situation with >>> an unsigned zone. Then for the extra bonus, analyse the benefits of >>> having a signed zone when it is not being wielded as a weapon >>> (assuming the previous analysis actually finds that possibility to >>> be real) >>> >>> Joao Damas >>> >>> On 15/10/2008, at 18:41, Dmitry Burkov wrote: >>> >>>> Jim Reid wrote: >>>> >>>> Jim, >>>> for me it seems - that it will raise governance issues and it is >>>> not technical problem - but more political and legal issue. >>>> I really worry about potential consequences of all these intentions >>>> to deploy on the net some digital signatures based techniques (aka >>>> DNSSEC, sidr) >>>> It is very risky and can provocate Internet fragmentation. >>>> We can try to improve security and stability - but in result we can >>>> get totally different Internet - it is like as some kind of Pandora >>>> box. >>>> >>>> Dmitry >>>>> So far there has been no discussion on the list about the NTIA >>>>> proposals about getting the root signed. I would have hoped >>>>> someone would have said something by now. Sigh. >>>>> >>>>> Please try to find some time to look at the NTIA's suggestions and >>>>> if possible send your comments to the list. I think this WG has an >>>>> obligation to make some sort of "official" response to the NTIA's >>>>> consultation. After all, we played our part to get the ball >>>>> rolling by producing the "sign the root" letter to ICANN at the >>>>> Tallinn meeting. So now that there are some concrete proposals for >>>>> consideration, I feel the WG should look at them and respond. >>>>> >>>>> I would also welcome suggestions from WG members about how to >>>>> stimulate a discussion here about the NTIA proposals. Although >>>>> time has been set aside in the RIPE57 agenda, that won't be >>>>> enough. The majority of people on this list won't be in Dubai. And >>>>> besides, it's really the list that should decide the WG's opinion >>>>> and what action it should take. >>>>> >>>>> Over to you.... >>>>> >>>> >>> > From dburk at burkov.aha.ru Mon Oct 20 16:42:39 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Mon, 20 Oct 2008 18:42:39 +0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> Message-ID: <48FC98DF.2080104@burkov.aha.ru> Joao, to be realistic - the most probable reaction will be refuse to sign with all following consequences. SIDR deployment (as it propsed today) it will be a real problem. DNSSEC deployment will be less problematic but still a problem as it will be used in software more and more. It also raises an old question about Internet governance and role of USG in this process as will enforce DoC position. Some people for years tried to explain root servers stability and practical independence from any one government now their arguments will fall down. In any of NTIA's proposed scheme it will be under one country regulation and if previously you can imagine partly functional ccTLDs even if zone was changed - now if signature will be invalid/recalled (don't know term in english) it will be more problematic. When we begin to use digital signatures for infrastructure - may be, we miss the point that this tool is just a reflection of some real world relations and obligations and based on national laws and other lawyer stuff. Putting it on this part of the net we risk to involve all issues from real world. And all benefits which you mentioned and which I understand and recognize from technical point of view will be non significant. regards, Dmitry Joao Damas ?????: > This is an argument that has repeated itself for some time now, with > few arguments to back it. > > Perhaps those with doubts about how a signed zone might be wielded as > a weapon against some party, would be interested in performing an > analysis of what the possible reactions are to such an attempt and > compare both the actions and their result to today's situation with an > unsigned zone. Then for the extra bonus, analyse the benefits of > having a signed zone when it is not being wielded as a weapon > (assuming the previous analysis actually finds that possibility to be > real) > > Joao Damas > > On 15/10/2008, at 18:41, Dmitry Burkov wrote: > >> Jim Reid wrote: >> >> Jim, >> for me it seems - that it will raise governance issues and it is not >> technical problem - but more political and legal issue. >> I really worry about potential consequences of all these intentions >> to deploy on the net some digital signatures based techniques (aka >> DNSSEC, sidr) >> It is very risky and can provocate Internet fragmentation. >> We can try to improve security and stability - but in result we can >> get totally different Internet - it is like as some kind of Pandora box. >> >> Dmitry >>> So far there has been no discussion on the list about the NTIA >>> proposals about getting the root signed. I would have hoped someone >>> would have said something by now. Sigh. >>> >>> Please try to find some time to look at the NTIA's suggestions and >>> if possible send your comments to the list. I think this WG has an >>> obligation to make some sort of "official" response to the NTIA's >>> consultation. After all, we played our part to get the ball rolling >>> by producing the "sign the root" letter to ICANN at the Tallinn >>> meeting. So now that there are some concrete proposals for >>> consideration, I feel the WG should look at them and respond. >>> >>> I would also welcome suggestions from WG members about how to >>> stimulate a discussion here about the NTIA proposals. Although time >>> has been set aside in the RIPE57 agenda, that won't be enough. The >>> majority of people on this list won't be in Dubai. And besides, it's >>> really the list that should decide the WG's opinion and what action >>> it should take. >>> >>> Over to you.... >>> >> > From dburk at burkov.aha.ru Mon Oct 20 18:55:17 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Mon, 20 Oct 2008 20:55:17 +0400 Subject: [dns-wg] Re: root zone signing In-Reply-To: <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> Message-ID: <48FCB7F5.3050905@burkov.aha.ru> Jim Reid wrote: Jim, for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future. Depending on this - it can be critical. Second point - how it will be used for .arpa Third point (not related to DNS - sorry - but simular problem) - sidr and it's deployment. After that I want to remind that the political world is not hierarchical - and when we put something with legal background to technical implementation it will immediately raise political issues as it does not reflect reality. It seems me a problem even all of us have the best intentions. regards, Dima > On Oct 20, 2008, at 15:42, Dmitry Burkov wrote: > >> It also raises an old question about Internet governance and role of >> USG in this process as will enforce DoC position. >> Some people for years tried to explain root servers stability and >> practical independence from any one government now their arguments >> will fall down. >> In any of NTIA's proposed scheme it will be under one country >> regulation and if previously you can imagine partly functional ccTLDs >> even if zone was changed - >> now if signature will be invalid/recalled (don't know term in >> english) it will be more problematic. > > Dima, these questions will always be raised. Even if nothing is ever > done to the root. The point Joao made earlier still goes unanswered. > With an unsigned root, all changes to add, remove or update data in > the zone involve co-ordination with the DoC/NTIA. If/when the root is > signed, all changes to the root zone will still involve co-ordination > with the DoC/NTIA. So what's different? > >> When we begin to use digital signatures for infrastructure - may be, >> we miss the point that this tool is just a reflection of some real world >> relations and obligations and based on national laws and other lawyer >> stuff. >> Putting it on this part of the net we risk to involve all issues from >> real world. > > I appreciate that some people will feel that legal agreements are an > unavoidable consequence of signing. However that's a matter between > the each TLD (and its government?) and those co-ordinating the root. > There are no technical grounds for parent and child zones to have a > legal agreement underpinning their use of DNSSEC. So if a TLD wants to > have a signed delegation, they can do that with or without an > agreement or anything that could be viewed as an acceptance of the way > the root is managed today. If a TLD doesn't want to have a signed > delegation, then they don't have to. Nobody's being compelled to do > anything they don't want. > > And as far as I can tell, nothing's being proposed that will > compromise security or stability. Though there are obvious technical > and operational concerns about where the key(s) get stored, how their > managed and who's involved in that. > > IMO, there's no "lawyer stuff" here. At least as far as signing the > root is concerned. All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. > > Now there may well be lawyer stuff further down the tree. For instance > suppose .ru is signed. I would expect that the .ru registry would have > to consult the Russian government and Russian law about what that > means nationally. But that is what's known in international law as a > National Matter and isn't anyone else's business. Likewise, they may > well need to consult widely inside Russia before submitting a KSK for > .ru to the signed root, if that was in place. > From jim at rfc1035.com Mon Oct 20 18:26:12 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 20 Oct 2008 17:26:12 +0100 Subject: [dns-wg] root zone signing In-Reply-To: <48FC98DF.2080104@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> Message-ID: <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> On Oct 20, 2008, at 15:42, Dmitry Burkov wrote: > It also raises an old question about Internet governance and role of > USG in this process as will enforce DoC position. > Some people for years tried to explain root servers stability and > practical independence from any one government now their arguments > will fall down. > In any of NTIA's proposed scheme it will be under one country > regulation and if previously you can imagine partly functional > ccTLDs even if zone was changed - > now if signature will be invalid/recalled (don't know term in > english) it will be more problematic. Dima, these questions will always be raised. Even if nothing is ever done to the root. The point Joao made earlier still goes unanswered. With an unsigned root, all changes to add, remove or update data in the zone involve co-ordination with the DoC/NTIA. If/when the root is signed, all changes to the root zone will still involve co-ordination with the DoC/NTIA. So what's different? > When we begin to use digital signatures for infrastructure - may be, > we miss the point that this tool is just a reflection of some real > world > relations and obligations and based on national laws and other > lawyer stuff. > Putting it on this part of the net we risk to involve all issues > from real world. I appreciate that some people will feel that legal agreements are an unavoidable consequence of signing. However that's a matter between the each TLD (and its government?) and those co-ordinating the root. There are no technical grounds for parent and child zones to have a legal agreement underpinning their use of DNSSEC. So if a TLD wants to have a signed delegation, they can do that with or without an agreement or anything that could be viewed as an acceptance of the way the root is managed today. If a TLD doesn't want to have a signed delegation, then they don't have to. Nobody's being compelled to do anything they don't want. And as far as I can tell, nothing's being proposed that will compromise security or stability. Though there are obvious technical and operational concerns about where the key(s) get stored, how their managed and who's involved in that. IMO, there's no "lawyer stuff" here. At least as far as signing the root is concerned. All that's happening is some TLD presents its KSK, IANA verifies that key and then causes a signature over that key to be generated. Which pretty much means that IANA is saying "we assert that this was the TLD KSK that we checked": nothing more. Now there may well be lawyer stuff further down the tree. For instance suppose .ru is signed. I would expect that the .ru registry would have to consult the Russian government and Russian law about what that means nationally. But that is what's known in international law as a National Matter and isn't anyone else's business. Likewise, they may well need to consult widely inside Russia before submitting a KSK for .ru to the signed root, if that was in place. From jim at rfc1035.com Mon Oct 20 19:09:04 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 20 Oct 2008 18:09:04 +0100 Subject: [dns-wg] Re: root zone signing In-Reply-To: <48FCB7F5.3050905@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> Message-ID: <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> On Oct 20, 2008, at 17:55, Dmitry Burkov wrote: > for me the issue - as I wrote in previous email to Joao - it is how > it can be used in software in future. I'm not sure I understand the question Dima. DNSSEC is an enabling technology because it gives new opportunities (and challenges) to developers. If data from the DNS can be verified, that opens up all sorts of possibilities. One technical question that could be asked here is "what happens when idiot developers embed the root key in an embedded system (say) and then the root key changes?". Is that what you're asking about? > Depending on this - it can be critical. > > Second point - how it will be used for .arpa See above. We already have some (limited) experience here with the NCC's efforts to sign parts of the reverse tree. > Third point (not related to DNS - sorry - but simular problem) - > sidr and it's deployment. I think it's unwise to link these. Though I suppose a signed part of the DNS name space would make it a whole lot easier to lookup and verify (secure) routing announcements. From bmanning at vacation.karoshi.com Mon Oct 20 20:34:52 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Mon, 20 Oct 2008 18:34:52 +0000 Subject: [dns-wg] root zone signing In-Reply-To: <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> Message-ID: <20081020183452.GB1585@vacation.karoshi.com.> On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: > > I appreciate that some people will feel that legal agreements are an > unavoidable consequence of signing. However that's a matter between > the each TLD (and its government?) and those co-ordinating the root. > There are no technical grounds for parent and child zones to have a > legal agreement underpinning their use of DNSSEC. So if a TLD wants to > have a signed delegation, they can do that with or without an > agreement or anything that could be viewed as an acceptance of the way > the root is managed today. If a TLD doesn't want to have a signed > delegation, then they don't have to. Nobody's being compelled to do > anything they don't want. well... as Lutz has demostrated, its often difficult to have a signed delegation and also be able to restrict whom picks up your DNSKEY and plops it into their version of the parent delegation. > All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. perhaps, if one buys into the argument that there is only a single parent. the .RU folks may want their signed data to only follow the JIMREID-root-o-ultimate-correctness and not appear at all in those fly-by-night outfits (PACROOT, ORSN, ICANN & RS.NET) ... harvesting DNSKEYS seems to be a very lightweight means of "asserting that this was the TLD-KSK that we checked". > Likewise, they may > well need to consult widely inside Russia before submitting a KSK > for .ru to the signed root, if that was in place. DNSKEY harvesting is a means to avoid having a formal means to submit your data to your parent ... any/everyone can pick it up and claim your ancestry. --bill From dougb at dougbarton.us Mon Oct 20 20:53:12 2008 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 20 Oct 2008 11:53:12 -0700 Subject: [dns-wg] root zone signing In-Reply-To: <20081020183452.GB1585@vacation.karoshi.com.> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <20081020183452.GB1585@vacation.karoshi.com.> Message-ID: <48FCD398.4040507@dougbarton.us> bmanning at vacation.karoshi.com wrote: > On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: >> I appreciate that some people will feel that legal agreements are an >> unavoidable consequence of signing. However that's a matter between >> the each TLD (and its government?) and those co-ordinating the root. >> There are no technical grounds for parent and child zones to have a >> legal agreement underpinning their use of DNSSEC. So if a TLD wants to >> have a signed delegation, they can do that with or without an >> agreement or anything that could be viewed as an acceptance of the way >> the root is managed today. If a TLD doesn't want to have a signed >> delegation, then they don't have to. Nobody's being compelled to do >> anything they don't want. > > well... as Lutz has demostrated, its often difficult to > have a signed delegation and also be able to restrict whom > picks up your DNSKEY and plops it into their version of the parent > delegation. DNSKEY is just a Resource Record, just like NS. The same arguments apply to both, with equal meaning technically. People are applying meaning to DNSSEC-related stuff that it does not actually have. For some reason you are adding fuel to that fire. Doug From dburk at burkov.aha.ru Mon Oct 20 19:25:58 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Mon, 20 Oct 2008 21:25:58 +0400 Subject: [dns-wg] Re: root zone signing In-Reply-To: <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> Message-ID: <48FCBF26.3020704@burkov.aha.ru> Jim Reid wrote: > On Oct 20, 2008, at 17:55, Dmitry Burkov wrote: > >> for me the issue - as I wrote in previous email to Joao - it is how >> it can be used in software in future. > > I'm not sure I understand the question Dima. DNSSEC is an enabling > technology because it gives new opportunities (and challenges) to > developers. If data from the DNS can be verified, that opens up all > sorts of possibilities. > > One technical question that could be asked here is "what happens when > idiot developers embed the root key in an embedded system (say) and > then the root key changes?". Is that what you're asking about? Jim, I hope that you remember laws of Murphy and Peter... or if it can happen it will happen and so on... > >> Depending on this - it can be critical. >> >> Second point - how it will be used for .arpa > > See above. We already have some (limited) experience here with the > NCC's efforts to sign parts of the reverse tree. the same problem will increase > >> Third point (not related to DNS - sorry - but simular problem) - sidr >> and it's deployment. > > I think it's unwise to link these. Though I suppose a signed part of > the DNS name space would make it a whole lot easier to lookup and > verify (secure) routing announcements. But sidr deployed will raise more issue as potential "red button". I want to return to your previous example with .ru. I don't think that it could really happen with .ru - but I can easily can imagine this situation with some other country. But when some probability exists I personally worry - as we can create potentially dangerous tool with the best intentions. When in our world services for citizens more and more depends on Internet - I really worry about principal changes in Internet architecture. If before we defacto have a system which was depended on more techies - person and professional-based responsibility - in future we can get more automated system which will lose this previous basement and can become a weapon in hands of politicals. Dima From drc at virtualized.org Mon Oct 20 19:58:07 2008 From: drc at virtualized.org (David Conrad) Date: Mon, 20 Oct 2008 10:58:07 -0700 Subject: [dns-wg] Re: root zone signing In-Reply-To: <48FCB7F5.3050905@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> Message-ID: <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> Dima, On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote: > for me the issue - as I wrote in previous email to Joao - it is how > it can be used in software in future. As I'm sure you're aware, the only thing DNSSEC-signing the root does is allow for validating resolvers to verify the data from the root zone hasn't been modified from the point at which it was signed to the point at which it is used by the validating resolver. If {IANA,VeriSign,NTIA} were to do something "bad", the contents of the root zone would be altered, regardless of whether the root zone were signed. In order to avoid this badness, operators of caching servers would need to modify their root hints to point to root servers serving non-bad data or take other steps that mucked with the caching server's configuration. If the root were DNSSEC-signed, the configuration mucking would need to include changing the root trust anchor. I don't see the significantly increased risk here by adding DNSSEC. > After that I want to remind that the political world is not > hierarchical - and when we put something with legal background to > technical implementation it will immediately raise political issues > as it does not reflect reality. Sorry? What legal background are you talking about? As for reflecting reality, I'm gathering what you're referencing is the fact that the US government has an authorization role in root management. First: none of the scenarios for DNSSEC-signing the root changes this, so we'd be no better or worse off than we are now. Second: lots of governments, many of which are in Europe, support the US government having the role it does in root zone management. Given this, I suspect it is unlikely there will be a change in roles for the foreseeable future. It would be unfortunate if DNSSEC-signing the root were held back because of this. Regards, -drc From jim at rfc1035.com Mon Oct 20 20:09:41 2008 From: jim at rfc1035.com (Jim Reid) Date: Mon, 20 Oct 2008 19:09:41 +0100 Subject: [dns-wg] Re: root zone signing In-Reply-To: <48FCBF26.3020704@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> <48FCBF26.3020704@burkov.aha.ru> Message-ID: <16FB4526-D94F-422A-BB85-D2E94C626D9A@rfc1035.com> On Oct 20, 2008, at 18:25, Dmitry Burkov wrote: > I hope that you remember laws of Murphy and Peter... or if it can > happen it will happen and so on... Indeed. But I worry about how those laws could be applied to the current insecure DNS. This is a much, much bigger danger than getting the root signed. What we've seen so far with cache poisoning attacks has been bad. And it will get worse. Meanwhile, we have a technology that works that can pretty much eliminate that problem. But it's blocked by layer-9 problems. So far. The NTIA NoI is at least a step forward to removing those obstacles. > When in our world services for citizens more and more depends on > Internet - I really worry about principal changes in Internet > architecture. I agree. But I don't see signing the root like that. It will allow those TLDs who want to deploy DNSSEC to proceed without ugly hacks that probably won't help in the long run. But signing the root won't have any impact on the TLDs who don't want to sign their zone. Similarly, those who *use* DNSSEC will know what they're getting in to and take the appropriate decisions to mitigate those risks. Those who won't use DNSSEC will just carry on as if the root was never signed: they'll see no difference. Well, except from an increased exposure to security attacks predicated on DNS spoofing. > If before we defacto have a system which was depended on more > techies - person and professional-based responsibility - in future > we can get more automated > system which will lose this previous basement and can become a > weapon in hands of politicals. Politicians and governments win out in the end. They always do. One of the questions for this WG (and others) to consider is how well the NTIA proposals accommodate the various conflicting demands from engineers, lawyers and politicians. From Ed.Lewis at neustar.biz Mon Oct 20 21:56:46 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Mon, 20 Oct 2008 21:56:46 +0200 Subject: [dns-wg] Re: root zone signing In-Reply-To: <16FB4526-D94F-422A-BB85-D2E94C626D9A@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> <48FCBF26.3020704@burkov.aha.ru> <16FB4526-D94F-422A-BB85-D2E94C626D9A@rfc1035.com> Message-ID: At 19:09 +0100 10/20/08, Jim Reid wrote: >Politicians and governments win out in the end. They always do. One of the >questions for this WG (and others) to consider is how well the NTIA proposals >accommodate the various conflicting demands from engineers, lawyers and >politicians. Don't make this more political than it is. The proposals are in a section called "Six Possible Process Flow Models." The NTIA is not saying, here are 6, vote. It's saying "tell us, and here's kinda what we are thinking." Be technical. Be what you do best. Don't try to beat politicians at their game. Bad strategy, I've found. One reason I am not offering my opinion here is that I'd rather 100 people write against what I'd say from their own minds and not to pick a fight. A hundred genuine opinions is better than a thousand "me too's" or "not me too's." Besides, my idea involves a team of trained monkeys, explosive bolts, three clowns, an asteroid and a capsized oil rig. If nothing else, it'd be real cool. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From dburk at burkov.aha.ru Mon Oct 20 22:07:30 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Tue, 21 Oct 2008 00:07:30 +0400 Subject: [dns-wg] root zone signing In-Reply-To: <48FCD398.4040507@dougbarton.us> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <20081020183452.GB1585@vacation.karoshi.com.> <48FCD398.4040507@dougbarton.us> Message-ID: <48FCE502.5030203@burkov.aha.ru> Doug Barton wrote: > bmanning at vacation.karoshi.com wrote: > >> On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: >> >>> I appreciate that some people will feel that legal agreements are an >>> unavoidable consequence of signing. However that's a matter between >>> the each TLD (and its government?) and those co-ordinating the root. >>> There are no technical grounds for parent and child zones to have a >>> legal agreement underpinning their use of DNSSEC. So if a TLD wants to >>> have a signed delegation, they can do that with or without an >>> agreement or anything that could be viewed as an acceptance of the way >>> the root is managed today. If a TLD doesn't want to have a signed >>> delegation, then they don't have to. Nobody's being compelled to do >>> anything they don't want. >>> >> well... as Lutz has demostrated, its often difficult to >> have a signed delegation and also be able to restrict whom >> picks up your DNSKEY and plops it into their version of the parent >> delegation. >> > > DNSKEY is just a Resource Record, just like NS. The same arguments > apply to both, with equal meaning technically. People are applying > meaning to DNSSEC-related stuff that it does not actully have. For > some reason you are adding fuel to that fire. > Doug, please, change you mind - it is not just a Record. You will begin to use all the stuff that have different background in real - non network life with all problems that it will arise. Dima > > Doug > > From dburk at burkov.aha.ru Mon Oct 20 22:28:40 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Tue, 21 Oct 2008 00:28:40 +0400 Subject: [dns-wg] Re: root zone signing In-Reply-To: <16FB4526-D94F-422A-BB85-D2E94C626D9A@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <133852AB-7C1B-4E82-B54B-F504B3B64F33@rfc1035.com> <48FCBF26.3020704@burkov.aha.ru> <16FB4526-D94F-422A-BB85-D2E94C626D9A@rfc1035.com> Message-ID: <48FCE9F8.3090507@burkov.aha.ru> Jim Reid wrote: > On Oct 20, 2008, at 18:25, Dmitry Burkov wrote: > >> I hope that you remember laws of Murphy and Peter... or if it can >> happen it will happen and so on... > > Indeed. But I worry about how those laws could be applied to the > current insecure DNS. This is a much, much bigger danger than getting > the root signed. What we've seen so far with cache poisoning attacks > has been bad. And it will get worse. Meanwhile, we have a technology > that works that can pretty much eliminate that problem. But it's > blocked by layer-9 problems. So far. The NTIA NoI is at least a step > forward to removing those obstacles. Jim, imagine different appoach/view - that signed root can be more dangerous (potentially) for some countries then unsigned. Do you really believe in best intentions of some governements as they expressed their itentions during last few months. I can only repeat that as engineer I understood you and - to be honest will try to do the same in idealistic world. But as I live here - on the earth - I will try escape potential problems before it create a real problems. For me - it seems - we should openly discuss potential consequences for countries as we will introduce this tools. I heard a lot of opinions that it is just a technical issue - and that it is wrong to discuss it in political context. I hope that it is just an misunderstanding - and guys can understand that this small and long expected change can have different meaning then they expect before. > >> When in our world services for citizens more and more depends on >> Internet - I really worry about principal changes in Internet >> architecture. > > I agree. But I don't see signing the root like that. It will allow > those TLDs who want to deploy DNSSEC to proceed without ugly hacks > that probably won't help in the long run. But signing the root won't > have any impact on the TLDs who don't want to sign their zone. > Similarly, those who *use* DNSSEC will know what they're getting in to > and take the appropriate decisions to mitigate those risks. Those who > won't use DNSSEC will just carry on as if the root was never signed: > they'll see no difference. Well, except from an increased exposure to > security attacks predicated on DNS spoofing. The problem will be in future software development from one side - the second - and may be more important that we will enforce word to split on a camps. I am really don't want it - and it is a key point for me. > >> If before we defacto have a system which was depended on more techies >> - person and professional-based responsibility - in future we can get >> more automated >> system which will lose this previous basement and can become a weapon >> in hands of politicals. > > > Politicians and governments win out in the end. They always do. One of > the questions for this WG (and others) to consider is how well the > NTIA proposals accommodate the various conflicting demands from > engineers, lawyers and politicians. for me - it is a way to hell. thanks, Dima From dburk at burkov.aha.ru Mon Oct 20 22:54:00 2008 From: dburk at burkov.aha.ru (Dmitry Burkov) Date: Tue, 21 Oct 2008 00:54:00 +0400 Subject: [dns-wg] Re: root zone signing In-Reply-To: <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> Message-ID: <48FCEFE8.1010206@burkov.aha.ru> David Conrad wrote: > Dima, > > On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote: >> for me the issue - as I wrote in previous email to Joao - it is how >> it can be used in software in future. > > As I'm sure you're aware, the only thing DNSSEC-signing the root does > is allow for validating resolvers to verify the data from the root > zone hasn't been modified from the point at which it was signed to the > point at which it is used by the validating resolver. If > {IANA,VeriSign,NTIA} were to do something "bad", the contents of the > root zone would be altered, regardless of whether the root zone were > signed. In order to avoid this badness, operators of caching servers > would need to modify their root hints to point to root servers serving > non-bad data or take other steps that mucked with the caching server's > configuration. If the root were DNSSEC-signed, the configuration > mucking would need to include changing the root trust anchor David, technically you are right - but you missed the point that with introducing one repository in one jurisdiction we will get a problem especially when software vendors will deploy new features. > > I don't see the significantly increased risk here by adding DNSSEC. David, you missed one point - lost of trust - it was one of the items that were practically unchanged for years and became defacto. During all last dicussions on internet governance it was one argues pro stability and practical independance - what we can say today? > >> After that I want to remind that the political world is not >> hierarchical - and when we put something with legal background to >> technical implementation it will immediately raise political issues >> as it does not reflect reality. > > Sorry? What legal background are you talking about? It is enough easy - digital signatures based on concrete laws in different countries which are incompatible - please, check. > > As for reflecting reality, I'm gathering what you're referencing is > the fact that the US government has an authorization role in root > management. First: none of the scenarios for DNSSEC-signing the root > changes this, so we'd be no better or worse off than we are now. > Second: lots of governments, many of which are in Europe, support the > US government having the role it does in root zone management. Given > this, I suspect it is unlikely there will be a change in roles for the > foreseeable future. It would be unfortunate if DNSSEC-signing the > root were held back because of this. For me the situation seems worse - it is just personal opinion - but I tried to express it - no more. It is not an argument that some countries support one country or even a lot of them - discussing this issue we are in different dimension when no one can dictate others. Hope you can understand me - that we should recognize national independance (sorry guys for this words - but I can't miss it). Sometimes, majority can mistaken. Unfortunately, we can't put this world in just our technocracy models... Dima > > Regards, > -drc > From drc at virtualized.org Tue Oct 21 00:50:46 2008 From: drc at virtualized.org (David Conrad) Date: Mon, 20 Oct 2008 15:50:46 -0700 Subject: [dns-wg] root zone signing In-Reply-To: <20081020183452.GB1585@vacation.karoshi.com.> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <20081020183452.GB1585@vacation.karoshi.com.> Message-ID: <44547452-9B72-490A-B0E8-8597EFA0F928@virtualized.org> Bill, On Oct 20, 2008, at 11:34 AM, bmanning at vacation.karoshi.com wrote: > perhaps, if one buys into the argument that there is only a > single parent. So, just to be clear, you're arguing the root shouldn't be signed and instead each validating resolver operator should harvest DNSKEYs of all zones that are signed? Couldn't you harvest DNSKEYs regardless of whether the root is signed or not? Thanks, -drc From drc at virtualized.org Tue Oct 21 00:33:19 2008 From: drc at virtualized.org (David Conrad) Date: Mon, 20 Oct 2008 15:33:19 -0700 Subject: [dns-wg] Re: root zone signing In-Reply-To: <48FCEFE8.1010206@burkov.aha.ru> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> <48FCEFE8.1010206@burkov.aha.ru> Message-ID: Dima, On Oct 20, 2008, at 1:54 PM, Dmitry Burkov wrote: > technically you are right - but you missed the point that with > introducing one repository in one jurisdiction we will get a problem > especially when software vendors will deploy new features. So, you're arguing against DNSSEC as defined, not just signing the root. Apologies if I misunderstood. > you missed one point - lost of trust - it was one of the items that > were practically unchanged for years and became defacto. You appear to be asserting that {IANA,VeriSign,NTIA} doing something "bad" is somehow worse if it gets DNSSEC-signed. I don't get it. If {IANA,VeriSign,NTIA} does something that causes loss of trust, then trust is lost. The fact that the bad change can be verified by caching servers as accurate in such a case seems irrelevant to me. > During all last dicussions on internet governance it was one argues > pro stability and practical independance - what we can say today? That DNSSEC doesn't significantly change the trustworthy-ness of the data prior to it getting signed, but does ensure that that data, once signed, can be validated. No more and no less. >> Sorry? What legal background are you talking about? > It is enough easy - digital signatures based on concrete laws in > different countries which are incompatible - please, check. Sorry, still don't get it. All we're talking about here is providing an ability to detect data has been modified from the point where somebody (IANA, VeriSign, a third party) signs it to the validating resolver. No one to my knowledge is proposing there be a legally binding attestation that said data is accurate. I'm not even sure such an attestation would make sense even if somebody was trying to make it. > Hope you can understand me - that we should recognize national > independance (sorry guys for this words - but I can't miss it). Are you familiar with the colloquialism "trying to close the barn door after the horses have bolted"? In 1996, the US government unilaterally asserted it had the right/ responsibility to make these sorts of decisions. No (zero, none, nada) government complained at the time (much to my personal annoyance). Since then, processes have been worked out that allow for changes to be made with the US government acting only in an authorization role, presumably in order to prevent ICANN or VeriSign from running amok and destroying the Internet. Now, a dozen years later, the US Dept. of Commerce is asking for input on a set of scenarios that will allow for a sucking chest wound that has existed in the DNS since its creation to (eventually) be fixed. If you think DNSSEC is a bad idea, that's fine input to provide. If you think one scenario is better than another, saying so (and giving reasons) would be ideal. But saying DNSSEC-signing threatens national independence isn't likely going to help anything unless you can give concrete justification why you believe DNSSEC-signing has an impact one way or another. Regards, -drc From bmanning at vacation.karoshi.com Tue Oct 21 00:59:01 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Mon, 20 Oct 2008 22:59:01 +0000 Subject: [dns-wg] root zone signing In-Reply-To: <44547452-9B72-490A-B0E8-8597EFA0F928@virtualized.org> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <20081020183452.GB1585@vacation.karoshi.com.> <44547452-9B72-490A-B0E8-8597EFA0F928@virtualized.org> Message-ID: <20081020225901.GA4516@vacation.karoshi.com.> On Mon, Oct 20, 2008 at 03:50:46PM -0700, David Conrad wrote: > Bill, > > On Oct 20, 2008, at 11:34 AM, bmanning at vacation.karoshi.com wrote: > > perhaps, if one buys into the argument that there is only a > > single parent. > > So, just to be clear, you're arguing the root shouldn't be signed and > instead each validating resolver operator should harvest DNSKEYs of > all zones that are signed? no i am not. i report that the action of harvesting DNSKEYs and installing them into a zone purporting to be a parent is currently common practice. i have said nothing in this thread about the desirability or not of having signed zones. what can be infered is that there are and will be many parties claiming to be "the root" and there is currently little to distinguish one from the other. even if one signs ones TLD, there is zero assurance that only a single root will harvest the DNSKEY and install it in their version of "the root". > Couldn't you harvest DNSKEYs regardless of whether the root is signed > or not? I could (but will not). Lutz can and does harvest DNSKEYs and installs them in the root. Its just not your version of "the root". It's not mine either. But then, mine is not shared by too many. > Thanks, > -drc Your Welcome, --bill From bortzmeyer at nic.fr Tue Oct 21 11:20:13 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 21 Oct 2008 11:20:13 +0200 Subject: [dns-wg] Re: NTIA NoI: does anyone care? In-Reply-To: References: Message-ID: <20081021092013.GB16823@nic.fr> On Wed, Oct 15, 2008 at 10:12:17AM +0100, Jim Reid wrote a message of 20 lines which said: > So far there has been no discussion on the list about the NTIA > proposals about getting the root signed. I would have hoped someone > would have said something by now. Sigh. One may think that replying to a US government consultation (whatever the content of the reply) means an approval of its unilateral decision to manage the root... After all, why such a consultation for an international resource is managed by one governement? From bortzmeyer at nic.fr Tue Oct 21 11:25:58 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 21 Oct 2008 11:25:58 +0200 Subject: [dns-wg] Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> Message-ID: <20081021092558.GC16823@nic.fr> On Wed, Oct 15, 2008 at 10:44:34AM -0400, Edward Lewis wrote a message of 18 lines which said: > This is why I think energy on this is better spent replying to the > NTIA than here. If you want to spend energy on DNSSEC deployment, you can also sign your zones, add them to a DLV registry such as the ISC one (*) and enable validation on your resolvers (and then handling your users's complaints). It will probably have a stronger effect than carefully crafting a reply which will probably be ignored, as all input from outside the US has been ignored in all forums since the take-over of the root. PS: thanks to the managers of ".br" and ".cz", the two first TLDs to appear in the ISC DLV registry. (*) Even if the root is signed, some TLD won't be signed overnight. Two good things about DLV is that it does not require the root to be signed and it does allow managers of SLD to be attached to a chain of trust even if their TLD is not signed. From bortzmeyer at nic.fr Tue Oct 21 11:18:19 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 21 Oct 2008 11:18:19 +0200 Subject: [dns-wg] Re: root zone signing In-Reply-To: <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> <48FCB7F5.3050905@burkov.aha.ru> <1BBBF679-B1BE-41EB-B258-6D766FAB312C@virtualized.org> Message-ID: <20081021091819.GA16823@nic.fr> On Mon, Oct 20, 2008 at 10:58:07AM -0700, David Conrad wrote a message of 39 lines which said: > Second: lots of governments, many of which are in Europe, support > the US government having the role it does in root zone management. Indeed, many NATO countries support their ally, the USA. But this is not the sort of reasoning that will convince people in Brazil, Russia or India... From olaf at NLnetLabs.nl Tue Oct 21 11:31:37 2008 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Tue, 21 Oct 2008 11:31:37 +0200 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> Message-ID: <1BF6B6DA-1F15-4073-B9B6-06415497F033@NLnetLabs.nl> On Oct 15, 2008, at 4:44 PM, Edward Lewis wrote: > At 7:10 -0700 10/15/08, David Conrad wrote: >> (that is "me too! is likely not helpful) > > Amen, brother. 1++ Bert From brettlists at gmail.com Tue Oct 21 13:43:33 2008 From: brettlists at gmail.com (B C) Date: Tue, 21 Oct 2008 12:43:33 +0100 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: Message-ID: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> On Wed, Oct 15, 2008 at 10:12 AM, Jim Reid wrote: > So far there has been no discussion on the list about the NTIA proposals > about getting the root signed. I would have hoped someone would have said > something by now. Sigh. > > Please try to find some time to look at the NTIA's suggestions and if > possible send your comments to the list. I think this WG has an obligation > to make some sort of "official" response to the NTIA's consultation. After > all, we played our part to get the ball rolling by producing the "sign the > root" letter to ICANN at the Tallinn meeting. So now that there are some > concrete proposals for consideration, I feel the WG should look at them and > respond. > > I would also welcome suggestions from WG members about how to stimulate a > discussion here about the NTIA proposals. Although time has been set aside > in the RIPE57 agenda, that won't be enough. The majority of people on this > list won't be in Dubai. And besides, it's really the list that should decide > the WG's opinion and what action it should take. > > Over to you.... > Jim, I agree we need to discuss this as a group and am very interested in hearing people's opinions, I feel that the people from this wg should give their opinions both directly to the NTIA but also the dns-wg forming a collective opinion and sending it to the NTIA can only be a good thing. My comments on the proposal(s) are below. Note these are my comments and opinions and not neccesarilly those of my current employer. Brett. I have read the proposals from both ICANN and Verisign and feel there are positive points to be taken from both proposals. I feel that the function of compiling and signing the root zone should be under the stewardship of a non commercial, non profit driven entity who has internet stability and security as their primary concern, therefore I would support moving this function to ICANN . However one point that I would strongly support from the Verisign proposal is the multi user stewardship of the KSK (the M of N principle) I believe ICANN should incorporate something similar to this in their process, however the organizations chosen to be part of this group need to be very carefully chosen, I would suggest that again they should all be non commercial organizations and represent Internet users from all parts of the globe, for this reason I would suggest that maybe the current RIR's (ARIN, AFRINIC, RIPE, LACNIC and APNIC) would be ideal groups to perform this function. As a non US Citizen I do have some concerns as to why this process is being undertaken by a department of the US Government and not an international multi stakeholder based group. I do not have a strong opinion as to what that group should be but it does seem to obvious to me that it should not be tied to one country whoever that country is. Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From jim at rfc1035.com Tue Oct 21 12:12:26 2008 From: jim at rfc1035.com (Jim Reid) Date: Tue, 21 Oct 2008 11:12:26 +0100 Subject: [dns-wg] Re: NTIA NoI: does anyone care? In-Reply-To: <20081021092013.GB16823@nic.fr> References: <20081021092013.GB16823@nic.fr> Message-ID: <6AA6DB0C-ED80-438C-A7CD-DA930EF461CD@rfc1035.com> On Oct 21, 2008, at 10:20, Stephane Bortzmeyer wrote: > One may think that replying to a US government consultation (whatever > the content of the reply) means an approval of its unilateral decision > to manage the root... People can think all sorts of things. Whether they're true or not is another matter. The facts here are the NTIA consultation is the only game in town. As you no doubt know Stephane ICANN/IANA was slapped down when it tried to do its own consultation on signing the root earlier this year. Any other forum that tried to run a consulation on this subject would either be ignored or also get put in its place by NTIA/DoC. So the choice here is stark: contribute to the NTIA exercise or shun it. > After all, why such a consultation for an international resource is > managed by one governement? Please take a discussion about the international aspects of root zone politics elsewhere. It doesn't belong in this WG. If you feel that this WG should not respond to the NTIA NoI because it "recognises" USG oversight of the root zone, that is in scope for the WG. In other words the WG can discuss whether we should respond to the NTIA consultation or not. But we shouldn't get into a discussion about the hows and whys of USG oversight of the root zone. At least, we won't have that discussion here. From Ed.Lewis at neustar.biz Tue Oct 21 12:16:55 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Tue, 21 Oct 2008 12:16:55 +0200 Subject: [dns-wg] Re: NTIA NoI: does anyone care? In-Reply-To: <20081021092013.GB16823@nic.fr> References: <20081021092013.GB16823@nic.fr> Message-ID: At 11:20 +0200 10/21/08, Stephane Bortzmeyer wrote: >One may think that replying to a US government consultation (whatever >the content of the reply) means an approval of its unilateral decision >to manage the root... Then submit that comment to them. Here it counts for nothing. >After all, why such a consultation for an international resource is >managed by one governement? Because they started it, have been doing it, and are paying for the current operations. If you want them to save their money and not do this, express the opinion. When given the change to express an opinion, why not take it? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From mlarson at verisign.com Tue Oct 21 15:29:42 2008 From: mlarson at verisign.com (Matt Larson) Date: Tue, 21 Oct 2008 09:29:42 -0400 Subject: [dns-wg] Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <20081021092558.GC16823@nic.fr> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> Message-ID: <20081021132942.GT554@dul1mcmlarson-l1.verisignlabs.com> On Tue, 21 Oct 2008, Stephane Bortzmeyer wrote: > On Wed, Oct 15, 2008 at 10:44:34AM -0400, > Edward Lewis wrote > a message of 18 lines which said: > > > This is why I think energy on this is better spent replying to the > > NTIA than here. > > [...] > It will probably have a stronger effect than carefully crafting a > reply which will probably be ignored, as all input from outside the US > has been ignored in all forums since the take-over of the root. I would not underestimate the effect of a thoughtful reply to the NoI. Since VeriSign interacts with the US DoC surrounding root zone maintenance, I know the staff there. They are clueful and I believe they want to do the right thing. I also believe that the NoI is a genuine request for information and not some kind of bureaucratic formality. Matt From Ed.Lewis at neustar.biz Tue Oct 21 14:49:11 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Tue, 21 Oct 2008 14:49:11 +0200 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: At 12:43 +0100 10/21/08, B C wrote: >I would suggest that again they should all be non commercial organizations >and represent Internet users from all parts of the globe, for this reason I >would suggest that maybe the current RIR's (ARIN, AFRINIC, RIPE, LACNIC and >APNIC) would be ideal groups to perform this function. Like this? http://www.ripe.net/ripe/meetings/ripe-45/presentations/ripe45-techsec-ksk-mgmt.pdf http://www.arin.net/meetings/minutes/ARIN_XI/PDF/Tuesday/11_keys_Ihren.pdf Don't know if there was one at APNIC. (LACNIC and AFRINIC weren't in place then.) Five and a half years ago. There were a series of pitches to the RIRs to take the role of KSK monitors. They said "no thanks, we are IP numbers, not Domain Names." Something about separation of duties, not wanting to be tied to the ICANN role, etc. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From randy at psg.com Tue Oct 21 16:50:17 2008 From: randy at psg.com (Randy Bush) Date: Tue, 21 Oct 2008 09:50:17 -0500 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: <48FDEC29.8090003@psg.com> > Five and a half years ago. There were a series of pitches to the RIRs > to take the role of KSK monitors. They said "no thanks, we are IP > numbers, not Domain Names." Something about separation of duties, not > wanting to be tied to the ICANN role, etc. occasionally, the community has a burst of wisdom. fix the iana, don't rebuild the same problem(s) in another place. and the iana has been functionally fixed, thanks drc, br, ... now get it the out from under the usg. randy From paul at xelerance.com Tue Oct 21 16:59:46 2008 From: paul at xelerance.com (Paul Wouters) Date: Tue, 21 Oct 2008 10:59:46 -0400 (EDT) Subject: [dns-wg] Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <20081021092558.GC16823@nic.fr> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> Message-ID: On Tue, 21 Oct 2008, Stephane Bortzmeyer wrote: > PS: thanks to the managers of ".br" and ".cz", the two first TLDs to > appear in the ISC DLV registry. Why should these be in the DLV ? I'd rather see people configure their resolvers properly. Will this cause people who use properly configured resolvers to send DLV requests for those TLD's? Paul From pk at DENIC.DE Tue Oct 21 17:34:36 2008 From: pk at DENIC.DE (Peter Koch) Date: Tue, 21 Oct 2008 17:34:36 +0200 Subject: [dns-wg] root zone signing In-Reply-To: <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> References: <48F61D54.1030602@burkov.aha.ru> <41C9450F-8775-4D6C-9897-5305A68514E3@isc.org> <48FC98DF.2080104@burkov.aha.ru> <2ECA1D87-4ED0-49A9-9102-1DB6178EF2C5@rfc1035.com> Message-ID: <20081021153436.GA1970@unknown.office.denic.de> On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: > IMO, there's no "lawyer stuff" here. At least as far as signing the > root is concerned. All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. IMHO it is important to emphasize that the semantics are in the DS RR, not in the RRSIG(DS). The latter only authenticates the (technically authoritative) DS RR in the parent zone. At least in theory, one could start to publish DS RRs without signing them. -Peter From drc at virtualized.org Tue Oct 21 18:30:24 2008 From: drc at virtualized.org (David Conrad) Date: Tue, 21 Oct 2008 09:30:24 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: Hi, On Oct 21, 2008, at 4:43 AM, B C wrote: > However one point that I would strongly support from the Verisign > proposal is the multi user stewardship of the KSK (the M of N > principle) Just to be clear, the KSK signing ceremony is something that happens rarely, e.g. O(years). Given the importance of the event, it would seem to me that it would be appropriate for attendance of all observers/participants to be mandatory (if someone isn't able to come for whatever reason, e.g., they've disappeared, that person/entity's role should be reassigned prior to the ceremony). As such, M of N would imply that you could have non-unanimity in the creation of the KSK. This strikes me as a really questionable situation to get into. Given the relative rarity of the KSK generation event, I am unclear as to why the added complexity of M of N is beneficial. Could someone explain? Thanks, -drc From paul at xelerance.com Tue Oct 21 18:30:35 2008 From: paul at xelerance.com (Paul Wouters) Date: Tue, 21 Oct 2008 12:30:35 -0400 (EDT) Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: On Tue, 21 Oct 2008, David Conrad wrote: > to get into. Given the relative rarity of the KSK generation event, I am > unclear as to why the added complexity of M of N is beneficial. Could > someone explain? So we can filibuster the key rollover? :) Paul From drc at virtualized.org Tue Oct 21 18:41:14 2008 From: drc at virtualized.org (David Conrad) Date: Tue, 21 Oct 2008 09:41:14 -0700 Subject: [dns-wg] Re: NTIA NoI: does anyone care? In-Reply-To: References: <20081021092013.GB16823@nic.fr> Message-ID: <45B83874-56B0-4BF8-93AC-02F9F630C6D1@virtualized.org> On Oct 21, 2008, at 3:16 AM, Edward Lewis wrote: > At 11:20 +0200 10/21/08, Stephane Bortzmeyer wrote: >> One may think that replying to a US government consultation (whatever >> the content of the reply) means an approval of its unilateral >> decision >> to manage the root... > Then submit that comment to them. Here it counts for nothing. Yep. However, as long as other governments support the US governmental role, I suspect comments along these lines will not carry much weight. Not to stray too far into international geo-politics, but getting governments to stop telling the US Government in private that they want the US government to continue the role they currently hold would probably be more beneficial in reaching the goal I assume you desire. >> After all, why such a consultation for an international resource is >> managed by one governement? > Because they started it, have been doing it, and are paying for the > current operations. Yes, the US government started it and have been doing it (and other governments keep telling them to continue doing it), but they are NOT paying for the current operations, at least IANA operations. And to be clear, pragmatically speaking, the international resource in question (the root zone) is _not_ managed by one government. The US government role has, to date, been limited to authorizing changes proposed by IANA. They do not propose changes nor have they ever altered a change request. Actual management of the root zone is done pretty much as it has always been done since RFC 1591 was published, by folks within IANA, VeriSign, and the root operators. Regards, -drc From mlarson at verisign.com Tue Oct 21 19:34:11 2008 From: mlarson at verisign.com (Matt Larson) Date: Tue, 21 Oct 2008 13:34:11 -0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: <20081021173411.GI554@dul1mcmlarson-l1.verisignlabs.com> On Tue, 21 Oct 2008, David Conrad wrote: > On Oct 21, 2008, at 4:43 AM, B C wrote: >> However one point that I would strongly support from the Verisign >> proposal is the multi user stewardship of the KSK (the M of N >> principle) > > Just to be clear, the KSK signing ceremony is something that happens > rarely, e.g. O(years). Given the importance of the event, it would seem > to me that it would be appropriate for attendance of all > observers/participants to be mandatory (if someone isn't able to come > for whatever reason, e.g., they've disappeared, that person/entity's > role should be reassigned prior to the ceremony). As such, M of N would > imply that you could have non-unanimity in the creation of the KSK. This > strikes me as a really questionable situation to get into. Given the > relative rarity of the KSK generation event, I am unclear as to why the > added complexity of M of N is beneficial. Could someone explain? To be clear, M-of-N in the VeriSign proposal applies to both KSK generation and KSK use, i.e., every time the KSK is used to sign a new root zone keyset, M-of-N authorizers need to be present. This form of M-of-N is implemented in modern HSMs and can be done today. This choice was a very conscious decision to avoid concentrating control of the KSK in any single organization. (Reading the proposal, you will note that VeriSign is not proposing to control the KSK itself.) Since root keysets can be signed in advance (e.g., generate X future ZSKs and then sign them all at once when M-of-N are present), M-of-N authorization for the KSK need not be administratively onerous. Matt From bmanning at ISI.EDU Tue Oct 21 19:36:18 2008 From: bmanning at ISI.EDU (Bill Manning) Date: Tue, 21 Oct 2008 10:36:18 -0700 Subject: [dns-wg] Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> Message-ID: <20081021173618.GA26475@boreas.isi.edu> On Tue, Oct 21, 2008 at 10:59:46AM -0400, Paul Wouters wrote: > On Tue, 21 Oct 2008, Stephane Bortzmeyer wrote: > > >PS: thanks to the managers of ".br" and ".cz", the two first TLDs to > >appear in the ISC DLV registry. > > Why should these be in the DLV ? I'd rather see people configure their > resolvers properly. Will this cause people who use properly configured > resolvers to send DLV requests for those TLD's? > > Paul they should be in the DLV so that ISC can properly bid for being the root key operator. -- --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). From bmanning at ISI.EDU Tue Oct 21 19:43:20 2008 From: bmanning at ISI.EDU (Bill Manning) Date: Tue, 21 Oct 2008 10:43:20 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> Message-ID: <20081021174320.GB26475@boreas.isi.edu> On Tue, Oct 21, 2008 at 09:30:24AM -0700, David Conrad wrote: > Hi, > > On Oct 21, 2008, at 4:43 AM, B C wrote: > >However one point that I would strongly support from the Verisign > >proposal is the multi user stewardship of the KSK (the M of N > >principle) > > Just to be clear, the KSK signing ceremony is something that happens > rarely, e.g. O(years). Given the importance of the event, it would thats the ICANN plan, plans can and do change. are there assurances that this event will remain "rare"? > role should be reassigned prior to the ceremony). As such, M of N > would imply that you could have non-unanimity in the creation of the > KSK. This strikes me as a really questionable situation to get into. > Given the relative rarity of the KSK generation event, I am unclear as > to why the added complexity of M of N is beneficial. Could someone > explain? MofN does allow for non-unanimity - but clearly is consenus driven. one could argue that distributing risk by diffusing the responsibility actually increases the stability and robustness of a system. concentration of function (collect, edit, sign, publish) does have its attractions but the potential downsides due to lack of oversight seem to be showstoppers - at least from this part of the peanut gallery > > Thanks, > -drc -- --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). From drc at virtualized.org Tue Oct 21 19:56:58 2008 From: drc at virtualized.org (David Conrad) Date: Tue, 21 Oct 2008 10:56:58 -0700 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: <20081021173411.GI554@dul1mcmlarson-l1.verisignlabs.com> References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> <20081021173411.GI554@dul1mcmlarson-l1.verisignlabs.com> Message-ID: On Oct 21, 2008, at 10:34 AM, Matt Larson wrote: > This choice was a very conscious decision to avoid concentrating > control of the KSK in any single organization. That's not what I'm questioning. I don't think any proposal is putting control in any single organization. Given the importance of the KSK, the question is why would you ever want a situation where N is less than M. It seems to me that lack of unanimity of the key (part) holders would be just crazy. Regards, -drc From mlarson at verisign.com Tue Oct 21 20:04:01 2008 From: mlarson at verisign.com (Matt Larson) Date: Tue, 21 Oct 2008 14:04:01 -0400 Subject: [dns-wg] NTIA NoI: does anyone care? In-Reply-To: References: <5c494b510810210443p5887e86akc1106344998aa920@mail.gmail.com> <20081021173411.GI554@dul1mcmlarson-l1.verisignlabs.com> Message-ID: <20081021180401.GN554@dul1mcmlarson-l1.verisignlabs.com> On Tue, 21 Oct 2008, David Conrad wrote: > On Oct 21, 2008, at 10:34 AM, Matt Larson wrote: >> This choice was a very conscious decision to avoid concentrating >> control of the KSK in any single organization. > > That's not what I'm questioning. I don't think any proposal is putting > control in any single organization. Given the importance of the KSK, the > question is why would you ever want a situation where N is less than M. I think you mean "M is less than N". > It seems to me that lack of unanimity of the key (part) holders would be > just crazy. M < N allows for some parties not to be present, which might be reasonable depending on which parties make up the N. (As a practical matter, when hardware-based authorization tokens are used, M is always less than N, with additional tokens held in escrow or otherwise kept safe, so a failure can be tolerated.) Matt From lutz at iks-jena.de Wed Oct 22 09:07:46 2008 From: lutz at iks-jena.de (Lutz Donnerhacke) Date: Wed, 22 Oct 2008 07:07:46 +0000 (UTC) Subject: [dns-wg] Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? References: <20081021173618.GA26475@boreas.isi.edu> Message-ID: * Bill Manning wrote: > they should be in the DLV so that ISC can properly bid for being > the root key operator. Using this argument, I will control a root key, too. . DNSKEY 257 3 5 ( BQEAAAABu13HdYlS35tf+wtpDlwkfPhz9sCqYHMPUDXf NUt8ePPrBPQxZvZIx7tere9mX3u1tC8Ooxr5IMQa7D2y n2ZfomVk9rF+7Rtxtlu9LmNSDcqCa7JwrJyhg3eDyQ/+ 2fOwb+XhVEsjoMFY09DglZSWHroKOieFw4X1sZLvmmXc zYv2yzd/uP5xIxxofh++vfQ4505oYlkymLehWXfT1lqq pszH9d/A7GHGmgdS8uyXq5LJC+PPJjdndcas4DH/Ja24 NrIvzzX8ZXNimO13+YMnKQdDSxS3yQWztSVgcY2GwRLW M9fiCX+e351OnIhYE+FjhHdg6M716Jf8ZDGoBO5Qrn3H MejItFBekBo9Rf2ZYzukSbu06CfFBpX/HQuAOYfp2/7D 56cG8SRH2d0sF3KAygSwAs3XvDv/dXcKMMqKftw5nxvv 50o9OOUHgIR9kGVAax90oz1ZgtygQMMTHe2QuAaLwqso 19Y2jb3qHIvyi+N94rwQDzUrnMR3RFbL8P4XF4yzrYIE Xkx6U9X8myHYQxbHdZ3N4rBoBvjjACX1Vpl7bdDnKC/b ITW34xpmNRZl+3K80zx5r0t9O9Csdylgach0CCNsu1I9 ERHYk/rEdzvSOiwSDYpMB3MlgYARjjWfx8YfSp1QV4fw o3i6ZZ3yFtlYKcw23zD5Qe/YtLQ5H+8= ) ; key id = 47484 From bortzmeyer at nic.fr Thu Oct 23 11:16:08 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Thu, 23 Oct 2008 11:16:08 +0200 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> Message-ID: <20081023091608.GA15397@nic.fr> On Tue, Oct 21, 2008 at 10:59:46AM -0400, Paul Wouters wrote a message of 10 lines which said: > Why should these be in the DLV ? Because, otherwise, how could I validate domains under ".br" and ".cz"? By trying to find a public key on their (https) Web site and adding it as a trust anchor? By exchanging PGP-signed email with Federico or Ondrej? This does not scale. > I'd rather see people configure their resolvers properly. What is a proper configuration? My BIND has: dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; dnssec-validation yes; include "/etc/bind/trust-anchors"; // A few DNSKEY for domains // I was able to check personnally Better suggestions are welcome. > Will this cause people who use properly configured resolvers to send > DLV requests for those TLD's? If "properly configured" is the configuration above, yes :-) From drc at virtualized.org Thu Oct 23 18:14:04 2008 From: drc at virtualized.org (David Conrad) Date: Thu, 23 Oct 2008 09:14:04 -0700 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <20081023091608.GA15397@nic.fr> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> Message-ID: <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> Stephane, On Oct 23, 2008, at 2:16 AM, Stephane Bortzmeyer wrote: >> Why should these be in the DLV ? > Because, otherwise, how could I validate domains under ".br" and > ".cz"? IANA is planning on announcing the beta version of the IANA interim trust anchor repository during the upcoming RIPE meeting. This TAR uses the established trust relationships to obtain the trust anchors and publishes those trust anchors via an X.509 protected web site. > This does not scale. True, however it does scale for TLDs. > What is a proper configuration? My BIND has: > > dnssec-enable yes; > dnssec-lookaside . trust-anchor dlv.isc.org.; > dnssec-validation yes; I've always been curious why there are two binary switches for turning on DNSSEC in BIND (particularly since BIND always sets "DNSSEC OK", regardless of whether those switches are true or any trust anchors have been configured), but that's not your issue... > > include "/etc/bind/trust-anchors"; // A few DNSKEY for domains > // I was able to check personnally > > Better suggestions are welcome. FWIW, on my laptop, I have a really simple cronjob that fetches the root zone trust anchor from IANA's testbed and HUPs the server. However, I won't actually care about the ITAR itself, since I slave the root zone on my laptop and the IANA DNSSEC testbed root zone has all the TLD trust anchors to date and will continue to do so. The ITAR could, of course be fetched instead of the root zone trust anchor if you don't happen to trust IANA's generation of the root zone in its DNSSEC testbed. Regards, -drc From shane at time-travellers.org Thu Oct 23 21:23:00 2008 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 23 Oct 2008 21:23:00 +0200 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> Message-ID: <1224789780.5305.215.camel@shane-macbook-pro> David, On Thu, 2008-10-23 at 09:14 -0700, David Conrad wrote: > > This does not scale. > > True, however it does scale for TLDs. I disagree, for my own (admittedly lazy) sysadmin standards. Right now, one needs: * SE keys, pulled from their WWW site, plus you need to subscribe to a mailing list to get announcements about key rollovers. * RIPE keys, pulled from their WWW site, plus you need to subscribe to the appropriate mailing list; which is the same as the SE list now thankfully. (Okay, RIPE is not a TLD, but I consider the DNSSEC-secured reverse tree to be at an equivalent level.) * BR keys, pulled from their WWW site, plus you need to subscribe to the appropriate mailing list. * PR keys, pulled from their WWW site (not SSL secured, but oh well). There is a link for a mailing list, but the page wasn't working when I tried (reported, surely just a temporary error). * CZ keys, pulled from their WWW site, plus you need to subscribe to the appropriate mailing list. * BG keys, pulled from... the Unbound setup? (Sorry, I could not find they trust anchor information online, nor a mailing list. Possibly only in Bulgarian?) At least, this is how I think one has to do this "properly" (instead of just looking for keys in the TLD servers). This is already a lot of work, really. If you use DLV, you can remove the work for BR and CZ from this list (and hopefully more soon), *plus* get a lot of records for unsigned TLDs. > FWIW, on my laptop, I have a really simple cronjob that fetches the > root zone trust anchor from IANA's testbed and HUPs the server. > However, I won't actually care about the ITAR itself, since I slave > the root zone on my laptop and the IANA DNSSEC testbed root zone has > all the TLD trust anchors to date and will continue to do so. The > ITAR could, of course be fetched instead of the root zone trust anchor > if you don't happen to trust IANA's generation of the root zone in its > DNSSEC testbed. Nice! At least for the TLD space. :) -- Shane From drc at virtualized.org Thu Oct 23 22:52:21 2008 From: drc at virtualized.org (David Conrad) Date: Thu, 23 Oct 2008 13:52:21 -0700 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <1224789780.5305.215.camel@shane-macbook-pro> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <1224789780.5305.215.camel@shane-macbook-pro> Message-ID: <3C114091-BEA9-496A-A6C5-3FC6518AB66A@virtualized.org> Shane, On Oct 23, 2008, at 12:23 PM, Shane Kerr wrote: > David, > > On Thu, 2008-10-23 at 09:14 -0700, David Conrad wrote: >>> This does not scale. >> True, however it does scale for TLDs. > I disagree, for my own (admittedly lazy) sysadmin standards. Apologies, I elided a bit much. I was saying the ITAR scales for TLDs. It can be argued that it most likely won't scale as a general (that is, more than TLDs) TAR since, if nothing else, I suspect caching server implementations probably aren't built to handle O(100000+) trust anchors. > If you use DLV, I've resolved (pun intended) to not comment on DLV. Regards, -drc From bortzmeyer at nic.fr Fri Oct 24 16:03:07 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 24 Oct 2008 18:03:07 +0400 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> Message-ID: <20081024140307.GA21162@laperouse.bortzmeyer.org> On Thu, Oct 23, 2008 at 09:14:04AM -0700, David Conrad wrote a message of 44 lines which said: > IANA is planning on announcing the beta version of the IANA interim > trust anchor repository during the upcoming RIPE meeting. ITAR won't replace DLV because (correct me if I'm wrong), it will work only for TLDs. Many TLD won't be signed overnight (signing ".com" is not something to do lightly, ".fr" is not signed and has no detailed plan for DNSSEC yet, ".de" announced nothing, etc) so, EVEN IF THE ROOT IS SIGNED, we still need DLV. I manage sources.org. Without DLV, I would need signature of the root AND of ".org" AND cooperation from my registrar (which still does not allow AAAA glue, I wonder how long it will take them for allowing DS). With DLV, it works for every one who is too lazy, like Shane, to try to find the public key of my small vanity domain in a secure way. From drc at virtualized.org Sat Oct 25 18:37:01 2008 From: drc at virtualized.org (David Conrad) Date: Sat, 25 Oct 2008 09:37:01 -0700 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <20081024140307.GA21162@laperouse.bortzmeyer.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> Message-ID: <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> Stephane, On Oct 24, 2008, at 7:03 AM, Stephane Bortzmeyer wrote: >> IANA is planning on announcing the beta version of the IANA interim >> trust anchor repository during the upcoming RIPE meeting. > ITAR won't replace DLV because (correct me if I'm wrong), it will work > only for TLDs. It is true that IANA's iTAR will only accept trust information for TLDs. If the Internet community wants the IANA to support a more generalized TAR, I would think the normal course of action would be for DNSOP to put out an RFC with an IANA considerations section telling IANA what to do. > EVEN IF THE ROOT IS SIGNED, we still need DLV. I would agree that we will likely need some mechanism to distribute trust anchors for the various islands of trust that will continue to exist even after the root is signed. I will not go so far as to say we need DLV which I personally believe is non-scalable, non-standard, and imputes a highly questionable trust model into _every_ non-cached DNS lookup (sigh, another broken resolution). > I manage sources.org. Without DLV, I would need signature of the > root AND of ".org" As you may be aware, PIR has already announced they're planning on signing .ORG. Based on empirical evidence, I suspect .ORG will be signed (and in the iTAR) before the root is signed. > AND cooperation from my registrar (which still does not > allow AAAA glue, I wonder how long it will take them for allowing DS). You might want to consider changing registrars. Regards, -drc From randy at psg.com Sat Oct 25 18:45:04 2008 From: randy at psg.com (Randy Bush) Date: Sat, 25 Oct 2008 20:45:04 +0400 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> Message-ID: <49034D10.90400@psg.com> David Conrad wrote: > DLV which I personally believe is non-scalable, non-standard, and > imputes a highly questionable trust model into _every_ non-cached DNS > lookup bingo. as i said when it was proposed, dlv is just isc ego producing root envy. >> my registrar (which still does not allow AAAA glue, I wonder how >> long it will take them for allowing DS). > You might want to consider changing registrars. as you likely know, the problem is opensrs, which is behind all the low-cost and open registrars. and we don't want to change to less open ones. randy From paul at xelerance.com Sat Oct 25 19:53:48 2008 From: paul at xelerance.com (Paul Wouters) Date: Sat, 25 Oct 2008 13:53:48 -0400 (EDT) Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <49034D10.90400@psg.com> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> <49034D10.90400@psg.com> Message-ID: On Sat, 25 Oct 2008, Randy Bush wrote: >> DLV which I personally believe is non-scalable, non-standard, and >> imputes a highly questionable trust model into _every_ non-cached DNS >> lookup > > bingo. as i said when it was proposed, dlv is just isc ego producing > root envy. Interesting conclusion. See, the way I understood it from Paul, is that it was not *meant* to scale, as it was an interim solution until not only the root, but large zones as .com got signed properly. You're claiming that isc had both bad intensions and bad code. I think I'll use Ocam's Razor here, and stick with Paul's explanation. > as you likely know, the problem is opensrs, which is behind all the > low-cost and open registrars. and we don't want to change to less open > ones. I'll see about getting an update on that situation for you. Paul From randy at psg.com Sat Oct 25 20:03:20 2008 From: randy at psg.com (Randy Bush) Date: Sat, 25 Oct 2008 22:03:20 +0400 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> <49034D10.90400@psg.com> Message-ID: <49035F68.8090207@psg.com> >> bingo. as i said when it was proposed, dlv is just isc ego producing >> root envy. > Interesting conclusion. See, the way I understood it from Paul, is that > it was not *meant* to scale, as it was an interim solution until not > only the root, but large zones as .com got signed properly. > > You're claiming that isc had both bad intensions and bad code. no. bad security model allowed by ego. randy From bmanning at vacation.karoshi.com Sat Oct 25 20:46:46 2008 From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com) Date: Sat, 25 Oct 2008 18:46:46 +0000 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> <49034D10.90400@psg.com> Message-ID: <20081025184646.GA24285@vacation.karoshi.com.> On Sat, Oct 25, 2008 at 01:53:48PM -0400, Paul Wouters wrote: > Interesting conclusion. See, the way I understood it from Paul, is that > it was not *meant* to scale, as it was an interim solution until not > only the root, but large zones as .com got signed properly. > > Paul this is one of theproblems I have w/ DLV. Either its useful until the entire tree is signed/linked or there is some undefined threshhold where its "good enough" and the operator castrates all the small fry who were depending on it working. it was never clear when/where the threashold was for DLV, just that when in ISC judgement, things were "good enough" they would turn it off. which argues for caching your security tokens in multiple places, esp when you may not have a business relationship w/ the key holder. Of course ISC could turn DLV into a profit center by charging for key mgmt. (profit might be a poor term - how about cost recovery?) end of the day, the trust chain ends @ ISC not IANA. This might not be a bad thing. Trading one not-for-profit California corporation for another one... but is that -really- what the Internet wants? --bill From drc at virtualized.org Sat Oct 25 20:50:03 2008 From: drc at virtualized.org (David Conrad) Date: Sat, 25 Oct 2008 11:50:03 -0700 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> <49034D10.90400@psg.com> Message-ID: <9937734F-3CB0-46C2-B84B-F8254952F4E8@virtualized.org> On Oct 25, 2008, at 10:53 AM, Paul Wouters wrote: > You're claiming that isc had both bad intensions and bad code. This is NOT what I am claiming. I stated: "[...] I personally believe [DLV] is non-scalable, non-standard, and imputes a highly questionable trust model into _every_ non-cached DNS lookup [...]." If you believe any of these are incorrect, then you do not understand how DLV works. This says nothing of ISC's (or Paul's) intentions (which I do not believe are bad) or ISC's code (of which I have no opinion since I haven't looked at it). Regards, -drc From pk at DENIC.DE Sun Oct 26 14:35:08 2008 From: pk at DENIC.DE (Peter Koch) Date: Sun, 26 Oct 2008 14:35:08 +0100 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> Message-ID: <20081026133508.GC32300@x27.adm.denic.de> On Sat, Oct 25, 2008 at 09:37:01AM -0700, David Conrad wrote: > It is true that IANA's iTAR will only accept trust information for > TLDs. If the Internet community wants the IANA to support a more > generalized TAR, I would think the normal course of action would be > for DNSOP to put out an RFC with an IANA considerations section > telling IANA what to do. do you think that "telling IANA what to do" in an IANA considerations section would be covered by RFC 2860 in this case? -Peter From drc at virtualized.org Sun Oct 26 15:41:24 2008 From: drc at virtualized.org (David Conrad) Date: Sun, 26 Oct 2008 07:41:24 -0700 Subject: [dns-wg] Re: Another DNSSEC action: add your DS to DLV (Was: NTIA NoI: does anyone care? In-Reply-To: <20081026133508.GC32300@x27.adm.denic.de> References: <82iqruw72k.fsf@mid.bfk.de> <2BF5805E-FA39-4CBE-9A38-E184333EA858@virtualized.org> <20081021092558.GC16823@nic.fr> <20081023091608.GA15397@nic.fr> <2706CA5F-C507-4A07-B2F3-DB3EB909DCF2@virtualized.org> <20081024140307.GA21162@laperouse.bortzmeyer.org> <934C363F-1BCB-40ED-B951-4F7377B4EA7D@virtualized.org> <20081026133508.GC32300@x27.adm.denic.de> Message-ID: <642F615C-6E6A-4499-A815-804CFD044318@virtualized.org> Peter, On Oct 26, 2008, at 6:35 AM, Peter Koch wrote: > do you think that "telling IANA what to do" in an IANA considerations > section would be covered by RFC 2860 in this case? Why wouldn't it? Regards, -drc From training at ripe.net Tue Oct 28 09:33:23 2008 From: training at ripe.net (Training) Date: Tue, 28 Oct 2008 09:33:23 +0100 Subject: [dns-wg] ANNOUNCEMENT: RIPE NCC Training Courses In-Reply-To: <20080901113428.69817310@cat.ripe.net> References: <20080901113428.69817310@cat.ripe.net> Message-ID: <20081028093323.08a5c25e@dog.ripe.net> [Apologies for duplicate e-mails] Dear Colleagues, The RIPE NCC invites you to register for one of our upcoming training courses: - The LIR Training Course This course teaches LIRs how to request Internet number resources and interact with the RIPE NCC. A course outline is available at: http://www.ripe.net/training/lir/outline.html - The Routing Registry Training Course This course teaches LIRs how to use the RIPE Database for routing. A course outline is available at: http://www.ripe.net/training/rr/outline.html - The DNS for LIRs Training Course This course teaches LIRs about the RIPE NCC's DNS-related services. A course outline is available at: http://www.ripe.net/training/dns/outline.html To see the location of upcoming courses and to register, please use the LIR Portal or complete the registration form on our website at: http://www.ripe.net/cgi-bin/trainingform.pl.cgi If you have any questions please do not hesitate to contact us at . Kind regards, Rumy Kanis Training Services Manager RIPE NCC From Joao_Damas at isc.org Tue Oct 28 12:07:30 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Tue, 28 Oct 2008 15:07:30 +0400 Subject: [dns-wg] Getting the iana.org trust anchor Message-ID: <0E3578B2-319C-4250-B96F-610391FADF7E@isc.org> Givens the near-future availability of the IANA TAR, where can I get securely obtain the trust anchor for the iana.org zone (or the zone where the TAR will be served from) ? Any paper stubs available here at the RIPE meeting, perchance? Joao From bortzmeyer at nic.fr Tue Oct 28 12:19:15 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 28 Oct 2008 15:19:15 +0400 Subject: [dns-wg] Re: Getting the iana.org trust anchor In-Reply-To: <0E3578B2-319C-4250-B96F-610391FADF7E@isc.org> References: <0E3578B2-319C-4250-B96F-610391FADF7E@isc.org> Message-ID: <20081028111915.GA10671@laperouse.bortzmeyer.org> On Tue, Oct 28, 2008 at 03:07:30PM +0400, Joao Damas wrote a message of 6 lines which said: > Givens the near-future availability of the IANA TAR, where can I get > securely obtain the trust anchor for the iana.org zone (or the zone > where the TAR will be served from) ? Do you *need* it? An ITAR signed with PGP with a key signed in key parties at RIPE/OARC/IETF meetings would be sufficient to me. (HTTPS is another solution.) Because the DNSSEC TA of iana.org will not protect you against a Kapela & Pilosov attack :-) From Joao_Damas at isc.org Tue Oct 28 12:40:21 2008 From: Joao_Damas at isc.org (Joao Damas) Date: Tue, 28 Oct 2008 15:40:21 +0400 Subject: [dns-wg] Re: Getting the iana.org trust anchor In-Reply-To: <20081028111915.GA10671@laperouse.bortzmeyer.org> References: <0E3578B2-319C-4250-B96F-610391FADF7E@isc.org> <20081028111915.GA10671@laperouse.bortzmeyer.org> Message-ID: <8A31A2E3-0E3E-402D-9E2C-C3C89A8D2D47@isc.org> I was sort of assuming the data itself would be transported over an SSL connection, I just want to make sure I am talking to the right server. On 28 Oct 2008, at 15:19, Stephane Bortzmeyer wrote: > On Tue, Oct 28, 2008 at 03:07:30PM +0400, > Joao Damas wrote > a message of 6 lines which said: > >> Givens the near-future availability of the IANA TAR, where can I get >> securely obtain the trust anchor for the iana.org zone (or the zone >> where the TAR will be served from) ? > > Do you *need* it? An ITAR signed with PGP with a key signed in key > parties at RIPE/OARC/IETF meetings would be sufficient to me. (HTTPS > is another solution.) > > Because the DNSSEC TA of iana.org will not protect you against a > Kapela & Pilosov attack :-) From bortzmeyer at nic.fr Tue Oct 28 13:51:29 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 28 Oct 2008 16:51:29 +0400 Subject: [dns-wg] Re: Getting the iana.org trust anchor In-Reply-To: <8A31A2E3-0E3E-402D-9E2C-C3C89A8D2D47@isc.org> References: <0E3578B2-319C-4250-B96F-610391FADF7E@isc.org> <20081028111915.GA10671@laperouse.bortzmeyer.org> <8A31A2E3-0E3E-402D-9E2C-C3C89A8D2D47@isc.org> Message-ID: <20081028125129.GA16564@laperouse.bortzmeyer.org> On Tue, Oct 28, 2008 at 03:40:21PM +0400, Joao Damas wrote a message of 20 lines which said: > I was sort of assuming the data itself would be transported over an > SSL connection, I just want to make sure I am talking to the right > server. Checking the TLS certificate? Anyway, signing with PGP, if done in a very secure way (unconnected machine, etc) is probably safer since the typical HTTPS setup does not protect if the Web server is compromised. From paf at cisco.com Wed Oct 29 11:08:31 2008 From: paf at cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Wed, 29 Oct 2008 14:08:31 +0400 Subject: [dns-wg] NTIA and RIPE v3 Message-ID: This is the third version of the list of issues that we are trying to reach consensus on. This is based on the feedback given during the morning session at RIPE in Dubai. Please send comments to this list as soon as possible as the wg chairs are to determine Thursday morning (Dubai time) whether there is consensus in the wg for them. Regards, Patrik F?ltstr?m, Editor -------------- next part -------------- A non-text attachment was scrubbed... Name: ripe-ntia-v3.pdf Type: application/pdf Size: 369887 bytes Desc: not available URL: From paf at cisco.com Wed Oct 29 12:01:19 2008 From: paf at cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Wed, 29 Oct 2008 15:01:19 +0400 Subject: [dns-wg] NTIA and RIPE Message-ID: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> On request, now as text. The original is the PDF though, so I do not guarantee this version is exactly like the current version on PDF. I hope so though! Patrik -- that missed lunch...see some of you in the desert RIPE and NTIA 29th of October 2008 A - DNSSEC is about data authenticity and integrity and not about control. B - The addition of DNSSEC to the root zone must be recognised as a global initiative. C - Addition of DNSSEC must be done in a way that the deployment of DNS is not at risk. D - Deployment should be done in a timely but not hasty manner. E - Any procedural changes introduced by DNSSEC should be aligned with the process for coordinating changes to and the distribution of the root zone. F - Policies and processes for signing the root zone should make it easy for TLDs to participate. G - There is no technical justification to create a new organisation to oversee the process of signing of the root. H - No data should be moved between organisations without appropriate authenticity and integrity checking. I - The public part of the KSK must be distributed as widely as possible. J - The organisation that creates the zone file must hold the private part of the ZSK. K - Changes to the entities and roles in the signing process must not require a change of keys. From Ed.Lewis at neustar.biz Wed Oct 29 16:30:44 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Wed, 29 Oct 2008 11:30:44 -0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> Message-ID: Regardless of my personally agreeing with such a statement or not, here are my reactions to some of the bullets. At 15:01 +0400 10/29/08, Patrik F?ltstr?m wrote: >B - The addition of DNSSEC to the root zone must be recognised as a >global initiative. I'm unclear on the intent of the B statement. See my comment on E. >E - Any procedural changes introduced by DNSSEC should be aligned with the >process for coordinating changes to and the distribution of the root zone. In some interpretations of B & E, these two could be conflicting. I.e., B implies that the current state of root zone management is too centered in the US, E evokes a message encouraging the status quo. Mind you - I am not commenting on B or E, but my reading of the two leaves come confusion in my mind. Perhaps I am misunderstanding B and/or E as it is presented here. >F - Policies and processes for signing the root zone should make it easy >for TLDs to participate. As someone employed by a TLD registry, it's not clear to me how or why such rather internal matters of the root zone matter to my job. Again, not saying this is a bad statement, but it begs for more detail or direction. I am not saying that the policies and processes for signing the root should be closed to the public. I just don't see the relevance to the TLD. >J - The organisation that creates the zone file must hold the private part >of the ZSK. My guess is that the intention in J is to say "the org that creates the zone file is the sole possessor of the private ZSK(s) and *performs the signing function*." Otherwise it doesn't matter if the creator has the key at all. >K - Changes to the entities and roles in the signing process must not >require a change of keys. I technically disagree with that, if there is a change in the entity performing the zone signing, the private key material should not have to be transferred out in the transition. The private key material of concern here is the ZSK, not the KSK. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From schnizlein at isoc.org Wed Oct 29 17:04:57 2008 From: schnizlein at isoc.org (John Schnizlein) Date: Wed, 29 Oct 2008 20:04:57 +0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> Message-ID: Since I pushed on this subject, maybe my perspective is useful. Signing a TLD or higher zone is pretty pointless unless it contains DS records. It is really important that the process for the child to maintain the DS record in the parent zone be as easy as possible. At the root, where literally everybody comes together, the opportunity for getting this wrong is large. For example, a TLD operator might have good reason that it chooses not to reveal to want to change its KSK quickly. The process for signing the root should make this as easy as possible. John On 2008Oct29, at 7:30 PM, Edward Lewis wrote: >> >> F - Policies and processes for signing the root zone should make it >> easy >> for TLDs to participate. > > As someone employed by a TLD registry, it's not clear to me how or > why such rather internal matters of the root zone matter to my job. > Again, not saying this is a bad statement, but it begs for more > detail or direction. > > I am not saying that the policies and processes for signing the root > should be closed to the public. I just don't see the relevance to > the TLD. From richard.lamb at icann.org Wed Oct 29 19:50:18 2008 From: richard.lamb at icann.org (Richard Lamb) Date: Wed, 29 Oct 2008 11:50:18 -0700 Subject: [dns-wg] NTIA and RIPE v3 Message-ID: <05B243F724B2284986522B6ACD0504D788D785556B@EXVPMBX100-1.exc.icann.org> Great points but they miss the fundamental importance of providing a secure solution from TLD operator to signed root. So I would recommend the bullet: L - The solution has to balance various concerns, but must provide for a maximally secure technical solution and one that provides the trust promised by DNSSEC. -Rick From richard.lamb at icann.org Wed Oct 29 23:15:17 2008 From: richard.lamb at icann.org (Richard Lamb) Date: Wed, 29 Oct 2008 15:15:17 -0700 Subject: [dns-wg] NTIA and RIPE Message-ID: <05B243F724B2284986522B6ACD0504D788D7855649@EXVPMBX100-1.exc.icann.org> ... On 2008Oct29, at 7:30 PM, Edward Lewis wrote: >Regardless of my personally agreeing with such a statement or not, here are my >reactions to some of the bullets. > >At 15:01 +0400 10/29/08, Patrik F?ltstr?m wrote: > > > B - The addition of DNSSEC to the root zone must be recognised as a > global initiative. > >I'm unclear on the intent of the B statement. See my comment on E. > > E - Any procedural changes introduced by DNSSEC should be aligned with the > process for coordinating changes to and the distribution of the root zone. > >In some interpretations of B & E, these two could be conflicting. I.e., B implies >that the current state of root zone management is too centered in the US, E evokes >a message encouraging the status quo. > >Mind you - I am not commenting on B or E, but my reading of the two leaves come >confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented >here. I take B to mean we want the global Internet community to use and trust it. ..and yes control and operation that is less US centric. Thank you for "translating" E. It does evoke the current state of affairs which unfortunately do not best serve DNSSEC (even envisioned in [1]) and contradictory with B. I dont believe anyone is suggesting changing the current distribution mechnism for the root zone...only changing the creation of that zone to secure it and its new contents effectively. The how and who should be up to the community the root serves. IMHO E needs to be removed. It refers to a "process" that is by no means favored by the whole community nor frozen in stone. Why build it into DNSSEC? I have yet to understand the drivers behind E as there are any number of ways to achieve the same "balance" while simlifying and securing the process. Given the will, making such changes does not take a long time. In a previous life in government I have seen greater issues settled, contracts written, and even $$ doled out in less than a month. All depended on what level pressure is applied. Its your root. Design it and make sure it is what you want. ... > K - Changes to the entities and roles in the signing process must not > require a change of keys. > >I technically disagree with that, if there is a change in the entity performing the >zone signing, the private key material should not have to be transferred out in the >transition. The private key material of concern here is the ZSK, not the KSK. Agreed. >-- >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->=- >Edward Lewis +1-571-434->5468 >NeuStar > >Never confuse activity with progress. Activity pays more. Very much agree ;-) Not speaking for my employer on any of this lest I be looking for another career. -Rick [1] http://www.icann.org/en/tlds/agreements/verisign/root-server-management-transition-agreement-oct05.pdf signed version elsewhere From paf at cisco.com Thu Oct 30 04:30:15 2008 From: paf at cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Thu, 30 Oct 2008 07:30:15 +0400 Subject: [dns-wg] NTIA and RIPE v3 In-Reply-To: <05B243F724B2284986522B6ACD0504D788D785556B@EXVPMBX100-1.exc.icann.org> References: <05B243F724B2284986522B6ACD0504D788D785556B@EXVPMBX100-1.exc.icann.org> Message-ID: <24539C3A-5D9F-4A75-877C-6BE53222305A@cisco.com> On 29 okt 2008, at 22.50, Richard Lamb wrote: > Great points but they miss the fundamental importance of providing a > secure solution from TLD operator to signed root. So I would > recommend the bullet: > > L - The solution has to balance various concerns, but must provide > for a maximally secure technical solution and one that provides the > trust promised by DNSSEC. Thanks, added to the list that we will look at this morning. Patrik From paf at cisco.com Thu Oct 30 05:05:55 2008 From: paf at cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Thu, 30 Oct 2008 08:05:55 +0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> Message-ID: <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> On 29 okt 2008, at 19.30, Edward Lewis wrote: > Regardless of my personally agreeing with such a statement or not, > here are my reactions to some of the bullets. Let me clarify what discussion lead to each one of them. > At 15:01 +0400 10/29/08, Patrik F?ltstr?m wrote: > >> B - The addition of DNSSEC to the root zone must be recognised as a >> global initiative. > > I'm unclear on the intent of the B statement. See my comment on E. Running the root zone is something that have impact on everyone. Not only organisations and individuals in the USA. This include of course an urge to NTIA to take comments from entities from abroad into consideration, just like comments from entities within the USA. >> E - Any procedural changes introduced by DNSSEC should be aligned >> with the >> process for coordinating changes to and the distribution of the >> root zone. > > In some interpretations of B & E, these two could be conflicting. > I.e., B implies that the current state of root zone management is > too centered in the US, E evokes a message encouraging the status quo. E say that DNSSEC management must be in sync with management of the root zone. People today trust the DNS given the hierarchy we have in the namespace with IANA at the root. DNSSEC should be in sync with that. If that is changed (we all know about the JPA, complaints on US Gov etc etc), then also DNSSEC processes should be changed. I.e. after adding DNSSEC to the way we do management of the root zone today (including some potential changes), we should still only have one process for the root zone management. Not one for DNSSEC and one for the root zone. It is one. "There can only be one!" ;-) > Mind you - I am not commenting on B or E, but my reading of the two > leaves come confusion in my mind. Perhaps I am misunderstanding B > and/or E as it is presented here. Understood. It could be confusing. >> F - Policies and processes for signing the root zone should make it >> easy >> for TLDs to participate. > > As someone employed by a TLD registry, it's not clear to me how or > why such rather internal matters of the root zone matter to my job. > Again, not saying this is a bad statement, but it begs for more > detail or direction. > > I am not saying that the policies and processes for signing the root > should be closed to the public. I just don't see the relevance to > the TLD. People here recognized that when one talk about "trust" and DNSSEC people often talk about the trust the resolver operator have on the trust anchor. One forget to talk about the trust a TLD operator have to have on the root zone management. They have to trust the process so that they publish their DS. Further, they today make changes according to a specific process (via IANA etc), that they to some degree "trust". Adding DNSSEC must take that into consideration. How easy/ hard it is for TLDs to participate. >> J - The organisation that creates the zone file must hold the >> private part >> of the ZSK. > > My guess is that the intention in J is to say "the org that creates > the zone file is the sole possessor of the private ZSK(s) and > *performs the signing function*." Otherwise it doesn't matter if > the creator has the key at all. Ok. Thanks! >> K - Changes to the entities and roles in the signing process must not >> require a change of keys. > > I technically disagree with that, if there is a change in the entity > performing the zone signing, the private key material should not > have to be transferred out in the transition. The private key > material of concern here is the ZSK, not the KSK. People here said two things to me: a) It would be good if change of ZSK or KSK operator would NOT imply a silent period or _VERY_ complicated key rollover. b) If the keys are contained in hardware (say 3 HSM), then a transition from one holder to another could be made by physically carrying one of the HSM to the new operator. Tests can be done. Then when those tests are positive, the two other HSM can be carried away. When that is done and things work, then a key rollover process can start as normal. This and other things lead me to add text like the one above. "Must not" is probably too strong though. Patrik From paf at cisco.com Thu Oct 30 07:34:08 2008 From: paf at cisco.com (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Thu, 30 Oct 2008 10:34:08 +0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <30EF0919-DF58-45F1-8F14-23FCA285348C@rfc.se> References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> <30EF0919-DF58-45F1-8F14-23FCA285348C@rfc.se> Message-ID: <12633810-6D72-4584-A64E-3FA7F0E5AC58@cisco.com> On 30 okt 2008, at 10.28, Jakob Schlyter wrote: > I do however believe that changing the holder of the KSK will be > complicated, unless a proven automatic key rollover mechanism has > been developed, implemented _and_ deployed. so while I wouldn't hold > my breath waiting for this to happen, I hope that the initial KSK > holder will be stable and that it is possible to transfer the KSK in > case the holder needs to be changed. Fair... Now, we had this bullet: K - Changes to the entities and roles in the signing process must not require a change of keys. Then I thought about changing it to the following: K - Changes to the entities and roles in the signing process should minimize issues related to potential changes in keys when the entities changes. Now, I am a bit confused... :-) Jakob, Ed, others...do you have any suggestion on text? Patrik From jakob at rfc.se Thu Oct 30 07:28:45 2008 From: jakob at rfc.se (Jakob Schlyter) Date: Thu, 30 Oct 2008 10:28:45 +0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> Message-ID: <30EF0919-DF58-45F1-8F14-23FCA285348C@rfc.se> On 30 okt 2008, at 08.05, Patrik F?ltstr?m wrote: > a) It would be good if change of ZSK or KSK operator would NOT imply > a silent period or _VERY_ complicated key rollover. changing the holder of the ZSK (e.g. the root zone maintainer) doesn't have to be very complicated. some time before the change of maintainers, the new maintainer would submit its first set of ZSK to the KSK holder for signing and the old maintainer would include this in the root zone for some short period of time. I do however believe that changing the holder of the KSK will be complicated, unless a proven automatic key rollover mechanism has been developed, implemented _and_ deployed. so while I wouldn't hold my breath waiting for this to happen, I hope that the initial KSK holder will be stable and that it is possible to transfer the KSK in case the holder needs to be changed. jakob From andrei at ripe.net Thu Oct 30 08:52:58 2008 From: andrei at ripe.net (Andrei Robachevsky) Date: Thu, 30 Oct 2008 08:52:58 +0100 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <12633810-6D72-4584-A64E-3FA7F0E5AC58@cisco.com> References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> <30EF0919-DF58-45F1-8F14-23FCA285348C@rfc.se> <12633810-6D72-4584-A64E-3FA7F0E5AC58@cisco.com> Message-ID: <490967DA.3040404@ripe.net> Patrik F?ltstr?m wrote on 30-10-2008 07:34: [...]> Now, we had this bullet: > > K - Changes to the entities and roles in the signing process must not > require a change of keys. > > Then I thought about changing it to the following: > > K - Changes to the entities and roles in the signing process should > minimize issues related to potential changes in keys when the entities > changes. > > Now, I am a bit confused... :-) > > Jakob, Ed, others...do you have any suggestion on text? > I was under the impression that point K essentially said that implementation should not cast the current root zone management setup (with regards to the entities) in stone. If this is so, how about the following: K - Changes of the entities representing roles in the signing process must be possible and have minimum effect on the keys. > Patrik > Andrei From sjoerdoo at ripe.net Thu Oct 30 10:30:53 2008 From: sjoerdoo at ripe.net (Sjoerd Oostdijck) Date: Thu, 30 Oct 2008 10:30:53 +0100 Subject: [dns-wg] Planned maintenance for ns.ripe.net, 4 November 08 In-Reply-To: <4907129B.6000400@ripe.net> References: <4907129B.6000400@ripe.net> Message-ID: <49097ECD.5010901@ripe.net> [Apologies for duplicate emails.] Dear Colleagues, This message concerns people who have ns.ripe.net listed as a secondary DNS server for their reverse DNS zones. In order to improve the quality of our service, we are adding additional servers to our infrastructure. The effect of this change will be that we will perform zone transfers from more then one IP address within the ranges 193.0.0.0/22 and 2001:610:240::/48 as documented at: http://www.ripe.net/rs/reverse/reverse_howto.html On 4 November 2008 at 11:00 UTC, ns.ripe.net will move to a load-balanced solution. No noticeable downtime is expected. If you would like to make sure that we can properly transfer the zone from your server after the change, we recommend that you follow the following steps: - Increase the serial number in your zone's Start of Authority (SOA) record. - Wait for a zone transfer to be initiated from the 193.0.0.0/22 or the IPv6 address range. - Now you can compare the zone serials on your master server and ns.ripe.net. To compare the serials you can use tools like "dig", "drill" or "host -C" to query the SOA record and compare the serials on both servers. If you have any further questions about this message, please contact us at dns-help at ripe.net Regards, Sjoerd Oostdijck DNS Services RIPE NCC From shane at time-travellers.org Thu Oct 30 13:13:01 2008 From: shane at time-travellers.org (Shane Kerr) Date: Thu, 30 Oct 2008 16:13:01 +0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <05B243F724B2284986522B6ACD0504D788D7855649@EXVPMBX100-1.exc.icann.org> References: <05B243F724B2284986522B6ACD0504D788D7855649@EXVPMBX100-1.exc.icann.org> Message-ID: <1225368781.5200.233.camel@shane-macbook-pro> On Wed, 2008-10-29 at 15:15 -0700, Richard Lamb wrote: > > > > E - Any procedural changes introduced by DNSSEC should be aligned with the > > process for coordinating changes to and the distribution of the root zone. > > > >In some interpretations of B & E, these two could be conflicting. I.e., B implies > >that the current state of root zone management is too centered in the US, E evokes > >a message encouraging the status quo. > > > >Mind you - I am not commenting on B or E, but my reading of the two leaves come > >confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented > >here. > > I take B to mean we want the global Internet community to use and trust it. > ..and yes control and operation that is less US centric. > > Thank you for "translating" E. It does evoke the current state of > affairs which unfortunately do not best serve DNSSEC (even envisioned > in [1]) and contradictory with B. I dont believe anyone is suggesting > changing the current distribution mechnism for the root zone...only > changing the creation of that zone to secure it and its new contents > effectively. The how and who should be up to the community the root > serves. > > IMHO E needs to be removed. > > It refers to a "process" that is by no means favored by the whole > community nor frozen in stone. Why build it into DNSSEC? I have yet > to understand the drivers behind E as there are any number of ways to > achieve the same "balance" while simlifying and securing the process. > Given the will, making such changes does not take a long time. In a > previous life in government I have seen greater issues settled, > contracts written, and even $$ doled out in less than a month. All > depended on what level pressure is applied. > > Its your root. Design it and make sure it is what you want. IIRC, the idea is that adding DNSSEC is independent of any changes to the root system. DNSSEC is largely technical. Reform of the root system is largely political. The two should not be entangled any more than is necessary. This can only result in slowing one or the other down, and confusing what should be viewed as separate goals. Nothing in any of these points should suggest that the process of signing the root cannot be changed. Quite the opposite! If the way the root zone is managed changes, then item E actually means that the signing process should change right along with it. -- Shane From training at ripe.net Thu Oct 30 14:57:44 2008 From: training at ripe.net (training at ripe.net) Date: Thu, 30 Oct 2008 15:57:44 +0200 Subject: [dns-wg] [ncc-announce] ANNOUNCEMENT: RIPE NCC Training Courses In-Reply-To: <20081028093323.08a5c25e@dog.ripe.net> References: <20081028093323.08a5c25e@dog.ripe.net> Message-ID: <200810301357.m9UDvis6010526@moira.iphost.gr> [[ This message has been bounced by Cerberus Helpdesk ]] Originally sent on Tue Oct 28 2008 10:33AM by training at ripe.net: [Apologies for duplicate e-mails] Dear Colleagues, The RIPE NCC invites you to register for one of our upcoming training courses: - The LIR Training Course This course teaches LIRs how to request Internet number resources and interact with the RIPE NCC. A course outline is available at: http://www.ripe.net/training/lir/outline.html - The Routing Registry Training Course This course teaches LIRs how to use the RIPE Database for routing. A course outline is available at: http://www.ripe.net/training/rr/outline.html - The DNS for LIRs Training Course This course teaches LIRs about the RIPE NCC's DNS-related services. A course outline is available at: http://www.ripe.net/training/dns/outline.html To see the location of upcoming courses and to register, please use the LIR Portal or complete the registration form on our website at: http://www.ripe.net/cgi-bin/trainingform.pl.cgi If you have any questions please do not hesitate to contact us at . Kind regards, Rumy Kanis Training Services Manager RIPE NCC From patrik at frobbit.se Wed Oct 29 10:39:19 2008 From: patrik at frobbit.se (=?ISO-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Wed, 29 Oct 2008 13:39:19 +0400 Subject: [dns-wg] NTIA and RIPE v3 Message-ID: This is the third version of the list of issues that we are trying to reach consensus on. This is based on the feedback given during the morning session at RIPE in Dubai. Please send comments to this list as soon as possible as the wg chairs are to determine Thursday morning (Dubai time) whether there is consensus in the wg for them. Regards, Patrik F?ltstr?m, Editor -------------- next part -------------- A non-text attachment was scrubbed... Name: ripe-ntia-v3.pdf Type: application/pdf Size: 369887 bytes Desc: not available URL: From Ed.Lewis at neustar.biz Thu Oct 30 17:02:38 2008 From: Ed.Lewis at neustar.biz (Edward Lewis) Date: Thu, 30 Oct 2008 12:02:38 -0400 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <12633810-6D72-4584-A64E-3FA7F0E5AC58@cisco.com> References: <6B45ED69-E950-4471-A05A-A3A89D086A8F@cisco.com> <043E66FA-B7C7-49CD-BAF6-4847663F0CE6@cisco.com> <30EF0919-DF58-45F1-8F14-23FCA285348C@rfc.se> <12633810-6D72-4584-A64E-3FA7F0E5AC58@cisco.com> Message-ID: At 10:34 +0400 10/30/08, Patrik F?ltstr?m wrote: Regarding item K - >Jakob, Ed, others...do you have any suggestion on text? This seems like the statement is about to get "wrapped around the axle." Perhaps we need to get back to basics, that is, put this in engineering terms - the language we speak. "The root zone's KSK public key management and distribution process should be designed to minimize the impact on name servers throughout the Internet in the event that changes are made to the operators involved." What we are after here (in the DNS WG) is reliable (including "smooth") technical operations. What I'm trying to suggest are words that avoid dealing with the business and political, etc., issues we all know are hanging in the air but are beyond the core expertise of the WG. I don't know if my words accomplish that, but that's what I'm trying to do. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more. From richard.lamb at icann.org Thu Oct 30 16:27:33 2008 From: richard.lamb at icann.org (Richard Lamb) Date: Thu, 30 Oct 2008 08:27:33 -0700 Subject: [dns-wg] NTIA and RIPE In-Reply-To: <1225368781.5200.233.camel@shane-macbook-pro> References: <05B243F724B2284986522B6ACD0504D788D7855649@EXVPMBX100-1.exc.icann.org> <1225368781.5200.233.camel@shane-macbook-pro> Message-ID: <05B243F724B2284986522B6ACD0504D788D785578A@EXVPMBX100-1.exc.icann.org> Thank you for the clarification. I agree with your interpretation completely. A link to the dns-wg archives in whatever statement comes out of this would be useful to avoid misinterpretation of any of the items. Sorry for being such an engineer in my comments. Having been a part of the (relatively minor) politics, it seems we should just go for the most secure engineering solution. Guess I have a lot to learn. -Rick -----Original Message----- From: dns-wg-admin at ripe.net [mailto:dns-wg-admin at ripe.net] On Behalf Of Shane Kerr Sent: Thursday, October 30, 2008 5:13 AM To: Richard Lamb Cc: dns-wg at ripe.net Subject: Re: [dns-wg] NTIA and RIPE On Wed, 2008-10-29 at 15:15 -0700, Richard Lamb wrote: > > > > E - Any procedural changes introduced by DNSSEC should be aligned with the > > process for coordinating changes to and the distribution of the root zone. > > > >In some interpretations of B & E, these two could be conflicting. I.e., B implies > >that the current state of root zone management is too centered in the US, E evokes > >a message encouraging the status quo. > > > >Mind you - I am not commenting on B or E, but my reading of the two leaves come > >confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented > >here. > > I take B to mean we want the global Internet community to use and trust it. > ..and yes control and operation that is less US centric. > > Thank you for "translating" E. It does evoke the current state of > affairs which unfortunately do not best serve DNSSEC (even envisioned > in [1]) and contradictory with B. I dont believe anyone is suggesting > changing the current distribution mechnism for the root zone...only > changing the creation of that zone to secure it and its new contents > effectively. The how and who should be up to the community the root > serves. > > IMHO E needs to be removed. > > It refers to a "process" that is by no means favored by the whole > community nor frozen in stone. Why build it into DNSSEC? I have yet > to understand the drivers behind E as there are any number of ways to > achieve the same "balance" while simlifying and securing the process. > Given the will, making such changes does not take a long time. In a > previous life in government I have seen greater issues settled, > contracts written, and even $$ doled out in less than a month. All > depended on what level pressure is applied. > > Its your root. Design it and make sure it is what you want. IIRC, the idea is that adding DNSSEC is independent of any changes to the root system. DNSSEC is largely technical. Reform of the root system is largely political. The two should not be entangled any more than is necessary. This can only result in slowing one or the other down, and confusing what should be viewed as separate goals. Nothing in any of these points should suggest that the process of signing the root cannot be changed. Quite the opposite! If the way the root zone is managed changes, then item E actually means that the signing process should change right along with it. -- Shane