From joe.abley at icann.org Mon May 3 14:17:36 2010 From: joe.abley at icann.org (Joe Abley) Date: Mon, 3 May 2010 05:17:36 -0700 Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update Message-ID: <9D6E7E44-FAC4-4319-806C-E31635E99598@icann.org> Root Zone DNSSEC Deployment Technical Status Update 2010-05-03 This is the fifth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. ** The final transition to the DURZ will take place on ** J-Root, on 2010-05-05 between 1700--1900 UTC. ** ** After that maintenance all root servers will be serving the ** DURZ, and will generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign at icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details. RESOURCES Details of the project, including documentation published to date, can be found at . We'd like to hear from you. If you have feedback for us, please send it to rootsign at icann.org. DEPLOYMENT STATUS The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. Twelve of the thirteen root servers have already made the transition to the DURZ. No harmful effects have been identified. The final root server to make the transition, J-Root, will start serving the DURZ in a maintenance window scheduled for 1700--1900 UTC on 2010-05-05. Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ To come: 2010-05-05: J starts to serve DURZ 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.) A more detailed DURZ transition timetable with maintenance windows can be found in the document "DNSSEC Deployment for the Root Zone", the most recent draft of which can be found on the project web page at . From mir at ripe.net Tue May 4 11:32:39 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Tue, 04 May 2010 11:32:39 +0200 Subject: [dns-wg] DNSMON - New user Interface Message-ID: <4BDFE9B7.4070006@ripe.net> Dear colleagues, We (thanks to the RIPE NCC Information Services Team) are working on a new user interface for DNSMON. You can find a description on RIPE Labs: http://labs.ripe.net/content/dnsmon-new-user-interface Please take a look and give us your feedback. Kind Regards, Mirjam K?hne RIPE NCC From joe.abley at icann.org Wed May 5 23:22:40 2010 From: joe.abley at icann.org (Joe Abley) Date: Wed, 5 May 2010 14:22:40 -0700 Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update Message-ID: Root Zone DNSSEC Deployment Technical Status Update 2010-05-05 This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. ** The final transition to a signed root zone took place today ** on J-Root, between 1700--1900 UTC. ** ** All root servers are now serving a signed root zone. ** ** All root servers will now generate larger responses to DNS ** queries that request DNSSEC information. ** ** If you experience technical problems or need to contact ** technical project staff, please send e-mail to rootsign at icann.org ** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred ** if possible. ** ** See below for more details. RESOURCES Details of the project, including documentation published to date, can be found at . We'd like to hear from you. If you have feedback for us, please send it to rootsign at icann.org. DEPLOYMENT STATUS The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified. The final root server to make the transition, J-Root, started serving the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05. Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at RIPE 60 in Prague on 2010-05-06. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ To come: 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.) From cet1 at cam.ac.uk Mon May 10 21:18:48 2010 From: cet1 at cam.ac.uk (Chris Thompson) Date: 10 May 2010 20:18:48 +0100 Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones In-Reply-To: <4B6873BB.7010400@ripe.net> References: <4B6873BB.7010400@ripe.net> Message-ID: On Feb 2 2010, Andrei Robachevsky wrote: >Chris Thompson wrote on 02-02-2010 16:31: [...] >> Is it understood yet how (or even if) this will work for legacy network >> allocations? Ideally, this would just be a matter of supplying RIPE with >> the "ds-rdata" attributes as described in >> >> https://www.ripe.net/rs/reverse/dnssec/registry-procedure.html >> >> and they would get transferred seamlessly into the ARIN zones >> (and signed there). > >Yes, that's the idea. The RIRs are looking at necessary changes that >need to be done to the management of the shared reverse zones to support >this. There is no timeline yet, but we should have a better idea mid 2010. Do we have any clearer idea about mechanisms and timescales yet? I've been perusing the RIPE-60 presentations at http://www.ripe.net/ripe/meetings/ripe-60/archives.php?day=thursday without finding anything relevant as yet. -- Chris Thompson University of Cambridge Computing Service, Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. From rhe at nosc.ja.net Tue May 11 09:41:32 2010 From: rhe at nosc.ja.net (Rob Evans) Date: Tue, 11 May 2010 08:41:32 +0100 Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones In-Reply-To: References: <4B6873BB.7010400@ripe.net> Message-ID: <4BE90A2C.7060604@nosc.ja.net> Chris, > Do we have any clearer idea about mechanisms and timescales yet? I've > been perusing the RIPE-60 presentations at > http://www.ripe.net/ripe/meetings/ripe-60/archives.php?day=thursday > > without finding anything relevant as yet. Jim asked Anand during the working group session. I think the relevant bit of the stenographer's transcript is this: > JIM REID: Anand, very interested to hear what is happening with > reverse zone signing for ERX space and I realise it's complicated > because it involves other interactions with RIRs specifically ARIN. > Can you expand on information you gave. You say there is a project > underway, you are discussing things with the other RIRs, have you a > rough feel or a gut feel as to when that may be ready and if there is > a possibility for members say of this organisation to participate in > trials with a new system which will dealing with signing for reverse > zones in ERX space? > > ANAND BUDDHDEV: These discussions are happening at the RIR level and > I don't have an exact time frame for when these discussions will be > concluded, but I am hoping that by the next RIPE meeting, we may have > something to tell you, but I think Andrei is coming up and he might > have something to add to this. > > JIM REID: If it must be like DNSSEC and it will be done within six > months? > > AUDIENCE SPEAKER: An dry, this is being discussed and that requires > some changes in our provisioning system, from user experience point > of view I don't think at least for the RIPE region users, it > shouldn't have any changes. With regards to time?line, as I replied > to the mailing list, maybe midyear we will have more accurate plans > on the roll I couldn't tell of this service and how we tackle this > address space. And that also goes in line that other areas are > deploying DNSSEC, they are at different stages of the deployment and > that also somehow determines the urgency of this activity. Rob From andrei at ripe.net Tue May 11 12:09:06 2010 From: andrei at ripe.net (Andrei Robachevsky) Date: Tue, 11 May 2010 12:09:06 +0200 Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones In-Reply-To: <4BE90A2C.7060604@nosc.ja.net> References: <4B6873BB.7010400@ripe.net> <4BE90A2C.7060604@nosc.ja.net> Message-ID: <4BE92CC2.7040802@ripe.net> Rob Evans wrote on 11/5/10 9:41 AM: [...] >> AUDIENCE SPEAKER: An dry, this is being discussed and that requires >> some changes in our provisioning system, from user experience point >> of view I don't think at least for the RIPE region users, it >> shouldn't have any changes. With regards to time?line, as I replied >> to the mailing list, maybe midyear we will have more accurate plans >> on the roll I couldn't tell of this service and how we tackle this >> address space. And that also goes in line that other areas are >> deploying DNSSEC, they are at different stages of the deployment and >> that also somehow determines the urgency of this activity. This is correct, and the audience speaker was me. Regards, Andrei From cet1 at cam.ac.uk Tue May 11 16:52:27 2010 From: cet1 at cam.ac.uk (Chris Thompson) Date: 11 May 2010 15:52:27 +0100 Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones In-Reply-To: <4BE92CC2.7040802@ripe.net> References: <4B6873BB.7010400@ripe.net> <4BE90A2C.7060604@nosc.ja.net> <4BE92CC2.7040802@ripe.net> Message-ID: Rob & Andrei - thanks for the information. Jim - thanks for keeping this on the agenda. As far as I can make out, ARIN haven't started accepting DS records from their own customers yet - i.e. "Phase 3" in https://www.arin.net/resources/dnssec/index.html ("First part of 2010" is so marvelously flexible, isn't it? The part consisting of 364 days, maybe ...) -- Chris Thompson University of Cambridge Computing Service, Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, Phone: +44 1223 334715 United Kingdom. From joe.abley at icann.org Tue May 18 19:21:31 2010 From: joe.abley at icann.org (Joe Abley) Date: Tue, 18 May 2010 10:21:31 -0700 Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update Message-ID: Root Zone DNSSEC Deployment Technical Status Update 2010-05-17 This is the seventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. CHANGE IN DEPLOYMENT SCHEDULE The date for the publication of the root zone trust anchor and the distribution of a validatable, signed root zone originally planned for 2010-07-01 has been changed. This final stage of root DNSSEC deployment is now scheduled to take place on 2010-07-15. The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems. Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action. This change has been reflected in the deployment plan and other documentation, and updated documents will be published at . PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ To come: 2010-06-16: First Key Signing Key (KSK) Ceremony 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.) From jim at rfc1035.com Sat May 29 10:12:46 2010 From: jim at rfc1035.com (Jim Reid) Date: Sat, 29 May 2010 09:12:46 +0100 Subject: [dns-wg] draft RIPE60 minutes Message-ID: Folks, here are the draft minutes from Prague. Please let me know if there are any errors or omissions. -------------- next part -------------- A non-text attachment was scrubbed... Name: ripe60minutes Type: application/octet-stream Size: 10942 bytes Desc: not available URL: -------------- next part -------------- From jim at rfc1035.com Mon May 31 18:58:05 2010 From: jim at rfc1035.com (Jim Reid) Date: Mon, 31 May 2010 17:58:05 +0100 Subject: [dns-wg] Draft minutes for RIPE60 - take 2 Message-ID: Here are the draft minutes again. I hope the attachment is more easily readable this time. It appears my mail client (Apple Mail) is crippled by a DOS legacy. Sigh. It seems that when the file name of a text attachment doesn't have a .txt suffix, the file gets encoded as application/octet-steam (=> base64 weirdness) instead of a text/plain MIME type. Ho hum. Hopefully this is more readable for you all. Apologies for any trouble and please let me know if there are any problems this time round. Oh and comments on the minutes would be welcome too. :-) -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ripe60minutes.txt URL: -------------- next part --------------