From joe.abley at icann.org Mon May 3 14:17:36 2010
From: joe.abley at icann.org (Joe Abley)
Date: Mon, 3 May 2010 05:17:36 -0700
Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update
Message-ID: <9D6E7E44-FAC4-4319-806C-E31635E99598@icann.org>
Root Zone DNSSEC Deployment
Technical Status Update 2010-05-03
This is the fifth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
** The final transition to the DURZ will take place on
** J-Root, on 2010-05-05 between 1700--1900 UTC.
**
** After that maintenance all root servers will be serving the
** DURZ, and will generate larger responses to DNS
** queries that request DNSSEC information.
**
** If you experience technical problems or need to contact
** technical project staff, please send e-mail to rootsign at icann.org
** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
** if possible.
**
** See below for more details.
RESOURCES
Details of the project, including documentation published to date,
can be found at .
We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.
Twelve of the thirteen root servers have already made the transition
to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, will start
serving the DURZ in a maintenance window scheduled for 1700--1900
UTC on 2010-05-05.
Initial observations relating to this transition will be presented
and discussed at the DNS Working Group meeting at the RIPE meeting
in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
To come:
2010-05-05: J starts to serve DURZ
2010-07-01: Distribution of validatable, production, signed root
zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)
A more detailed DURZ transition timetable with maintenance windows
can be found in the document "DNSSEC Deployment for the Root Zone",
the most recent draft of which can be found on the project web page
at .
From mir at ripe.net Tue May 4 11:32:39 2010
From: mir at ripe.net (Mirjam Kuehne)
Date: Tue, 04 May 2010 11:32:39 +0200
Subject: [dns-wg] DNSMON - New user Interface
Message-ID: <4BDFE9B7.4070006@ripe.net>
Dear colleagues,
We (thanks to the RIPE NCC Information Services Team) are working on a
new user interface for DNSMON. You can find a description on RIPE Labs:
http://labs.ripe.net/content/dnsmon-new-user-interface
Please take a look and give us your feedback.
Kind Regards,
Mirjam K?hne
RIPE NCC
From joe.abley at icann.org Wed May 5 23:22:40 2010
From: joe.abley at icann.org (Joe Abley)
Date: Wed, 5 May 2010 14:22:40 -0700
Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update
Message-ID:
Root Zone DNSSEC Deployment
Technical Status Update 2010-05-05
This is the sixth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
** The final transition to a signed root zone took place today
** on J-Root, between 1700--1900 UTC.
**
** All root servers are now serving a signed root zone.
**
** All root servers will now generate larger responses to DNS
** queries that request DNSSEC information.
**
** If you experience technical problems or need to contact
** technical project staff, please send e-mail to rootsign at icann.org
** or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
** if possible.
**
** See below for more details.
RESOURCES
Details of the project, including documentation published to date,
can be found at .
We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to
the to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, started serving
the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented
and discussed at the DNS Working Group meeting at RIPE 60 in Prague
on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-07-01: Distribution of validatable, production, signed root
zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)
From cet1 at cam.ac.uk Mon May 10 21:18:48 2010
From: cet1 at cam.ac.uk (Chris Thompson)
Date: 10 May 2010 20:18:48 +0100
Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones
In-Reply-To: <4B6873BB.7010400@ripe.net>
References:
<4B6873BB.7010400@ripe.net>
Message-ID:
On Feb 2 2010, Andrei Robachevsky wrote:
>Chris Thompson wrote on 02-02-2010 16:31:
[...]
>> Is it understood yet how (or even if) this will work for legacy network
>> allocations? Ideally, this would just be a matter of supplying RIPE with
>> the "ds-rdata" attributes as described in
>>
>> https://www.ripe.net/rs/reverse/dnssec/registry-procedure.html
>>
>> and they would get transferred seamlessly into the ARIN zones
>> (and signed there).
>
>Yes, that's the idea. The RIRs are looking at necessary changes that
>need to be done to the management of the shared reverse zones to support
>this. There is no timeline yet, but we should have a better idea mid 2010.
Do we have any clearer idea about mechanisms and timescales yet? I've been
perusing the RIPE-60 presentations at
http://www.ripe.net/ripe/meetings/ripe-60/archives.php?day=thursday
without finding anything relevant as yet.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
From rhe at nosc.ja.net Tue May 11 09:41:32 2010
From: rhe at nosc.ja.net (Rob Evans)
Date: Tue, 11 May 2010 08:41:32 +0100
Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse
zones
In-Reply-To:
References: <4B6873BB.7010400@ripe.net>
Message-ID: <4BE90A2C.7060604@nosc.ja.net>
Chris,
> Do we have any clearer idea about mechanisms and timescales yet? I've
> been perusing the RIPE-60 presentations at
> http://www.ripe.net/ripe/meetings/ripe-60/archives.php?day=thursday
>
> without finding anything relevant as yet.
Jim asked Anand during the working group session. I think the relevant
bit of the stenographer's transcript is this:
> JIM REID: Anand, very interested to hear what is happening with
> reverse zone signing for ERX space and I realise it's complicated
> because it involves other interactions with RIRs specifically ARIN.
> Can you expand on information you gave. You say there is a project
> underway, you are discussing things with the other RIRs, have you a
> rough feel or a gut feel as to when that may be ready and if there is
> a possibility for members say of this organisation to participate in
> trials with a new system which will dealing with signing for reverse
> zones in ERX space?
>
> ANAND BUDDHDEV: These discussions are happening at the RIR level and
> I don't have an exact time frame for when these discussions will be
> concluded, but I am hoping that by the next RIPE meeting, we may have
> something to tell you, but I think Andrei is coming up and he might
> have something to add to this.
>
> JIM REID: If it must be like DNSSEC and it will be done within six
> months?
>
> AUDIENCE SPEAKER: An dry, this is being discussed and that requires
> some changes in our provisioning system, from user experience point
> of view I don't think at least for the RIPE region users, it
> shouldn't have any changes. With regards to time?line, as I replied
> to the mailing list, maybe midyear we will have more accurate plans
> on the roll I couldn't tell of this service and how we tackle this
> address space. And that also goes in line that other areas are
> deploying DNSSEC, they are at different stages of the deployment and
> that also somehow determines the urgency of this activity.
Rob
From andrei at ripe.net Tue May 11 12:09:06 2010
From: andrei at ripe.net (Andrei Robachevsky)
Date: Tue, 11 May 2010 12:09:06 +0200
Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse
zones
In-Reply-To: <4BE90A2C.7060604@nosc.ja.net>
References: <4B6873BB.7010400@ripe.net> <4BE90A2C.7060604@nosc.ja.net>
Message-ID: <4BE92CC2.7040802@ripe.net>
Rob Evans wrote on 11/5/10 9:41 AM:
[...]
>> AUDIENCE SPEAKER: An dry, this is being discussed and that requires
>> some changes in our provisioning system, from user experience point
>> of view I don't think at least for the RIPE region users, it
>> shouldn't have any changes. With regards to time?line, as I replied
>> to the mailing list, maybe midyear we will have more accurate plans
>> on the roll I couldn't tell of this service and how we tackle this
>> address space. And that also goes in line that other areas are
>> deploying DNSSEC, they are at different stages of the deployment and
>> that also somehow determines the urgency of this activity.
This is correct, and the audience speaker was me.
Regards,
Andrei
From cet1 at cam.ac.uk Tue May 11 16:52:27 2010
From: cet1 at cam.ac.uk (Chris Thompson)
Date: 11 May 2010 15:52:27 +0100
Subject: [dns-wg] Transferring DS info from RIPE to ARIN for ERX reverse zones
In-Reply-To: <4BE92CC2.7040802@ripe.net>
References:
<4B6873BB.7010400@ripe.net>
<4BE90A2C.7060604@nosc.ja.net>
<4BE92CC2.7040802@ripe.net>
Message-ID:
Rob & Andrei - thanks for the information.
Jim - thanks for keeping this on the agenda.
As far as I can make out, ARIN haven't started accepting DS records
from their own customers yet - i.e. "Phase 3" in
https://www.arin.net/resources/dnssec/index.html
("First part of 2010" is so marvelously flexible, isn't it? The
part consisting of 364 days, maybe ...)
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
From joe.abley at icann.org Tue May 18 19:21:31 2010
From: joe.abley at icann.org (Joe Abley)
Date: Tue, 18 May 2010 10:21:31 -0700
Subject: [dns-wg] Root Zone DNSSEC Deployment Technical Status Update
Message-ID:
Root Zone DNSSEC Deployment
Technical Status Update 2010-05-17
This is the seventh of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
CHANGE IN DEPLOYMENT SCHEDULE
The date for the publication of the root zone trust anchor and the
distribution of a validatable, signed root zone originally planned
for 2010-07-01 has been changed.
This final stage of root DNSSEC deployment is now scheduled to take
place on 2010-07-15.
The schedule change is intended to allow ICANN and VeriSign an
additional two weeks for further analysis of the DURZ rollout, to
finalise testing and best ensure the secure, stable and resilient
implementation of the root DNSSEC production processes and systems.
Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue
a public notice announcing the publication of the joint ICANN-VeriSign
testing and evaluation report as well as the intent to proceed with
the final stage of DNSSEC deployment. As part of this notice the
DoC will include a public review and comment period prior to taking
any action.
This change has been reflected in the deployment plan and other
documentation, and updated documents will be published at
.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
To come:
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-15: Distribution of validatable, production, signed root
zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)
From jim at rfc1035.com Sat May 29 10:12:46 2010
From: jim at rfc1035.com (Jim Reid)
Date: Sat, 29 May 2010 09:12:46 +0100
Subject: [dns-wg] draft RIPE60 minutes
Message-ID:
Folks, here are the draft minutes from Prague. Please let me know if
there are any errors or omissions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ripe60minutes
Type: application/octet-stream
Size: 10942 bytes
Desc: not available
URL:
-------------- next part --------------
From jim at rfc1035.com Mon May 31 18:58:05 2010
From: jim at rfc1035.com (Jim Reid)
Date: Mon, 31 May 2010 17:58:05 +0100
Subject: [dns-wg] Draft minutes for RIPE60 - take 2
Message-ID:
Here are the draft minutes again. I hope the attachment is more easily
readable this time. It appears my mail client (Apple Mail) is crippled
by a DOS legacy. Sigh. It seems that when the file name of a text
attachment doesn't have a .txt suffix, the file gets encoded as
application/octet-steam (=> base64 weirdness) instead of a text/plain
MIME type. Ho hum. Hopefully this is more readable for you all.
Apologies for any trouble and please let me know if there are any
problems this time round. Oh and comments on the minutes would be
welcome too. :-)
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ripe60minutes.txt
URL:
-------------- next part --------------