From thinkofit at gmail.com Fri Dec 12 18:47:01 2014 From: thinkofit at gmail.com (Antonio Prado) Date: Fri, 12 Dec 2014 18:47:01 +0100 Subject: [dns-wg] ripe.net axfr Message-ID: <548B2A15.3040109@gmail.com> hi, can I axfr ripe.net zone? thank you -- antonio From thinkofit at gmail.com Sat Dec 13 09:24:53 2014 From: thinkofit at gmail.com (Antonio Prado) Date: Sat, 13 Dec 2014 09:24:53 +0100 Subject: [dns-wg] ripe.net axfr In-Reply-To: <548B2A15.3040109@gmail.com> References: <548B2A15.3040109@gmail.com> Message-ID: <548BF7D5.6090304@gmail.com> On 12/12/14 6:47 PM, Antonio Prado wrote: > can I axfr ripe.net zone? I'll restate with different words: why pri.authdns.ripe.net should allow AXFR ripe.net zone? just asking thank you -- antonio From anandb at ripe.net Sat Dec 13 10:48:55 2014 From: anandb at ripe.net (Anand Buddhdev) Date: Sat, 13 Dec 2014 10:48:55 +0100 Subject: [dns-wg] ripe.net axfr In-Reply-To: <548BF7D5.6090304@gmail.com> References: <548B2A15.3040109@gmail.com> <548BF7D5.6090304@gmail.com> Message-ID: <548C0B87.7080405@ripe.net> On 13/12/14 09:24, Antonio Prado wrote: > why pri.authdns.ripe.net should allow AXFR ripe.net zone? > just asking Hi Antonio, The ripe.net zone has always been open for AXFR. There is little point in blocking AXFR, because the zone is signed with NSEC, and can be easily enumerated. Regards, Anand Buddhdev RIPE NCC From ksk-rollover-soi at icann.org Fri Dec 12 20:08:49 2014 From: ksk-rollover-soi at icann.org (KSK Rollover SOI) Date: Fri, 12 Dec 2014 19:08:49 +0000 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover Message-ID: ICANN, as the IANA functions operator, in cooperation with Verisign as the Root Zone Maintainer and the National Telecommunications Information Administration (NTIA) as the Root Zone Administrator, together known as the Root Zone Management (RZM) partners, seek to develop a plan for rolling the DNS root zone key-signing key (KSK). The KSK is used to sign the root zone zone-signing key (ZSK), which in turn is used to DNSSEC-sign the Internet?s root zone. The Root Zone Partners are soliciting five to seven volunteers from the community to participate in a Design Team to develop the Root Zone KSK Rollover Plan (?The Plan?). These volunteers along with the RZM partners will form the Design Team to develop The Plan. Individuals interested in volunteering approximately 5 hours per week for the Design Team should consult the announcement: https://www.icann.org/en/system/files/files/ksk-soi-11dec14-en.pdf and submit their Statement of Interest to ksk-rollover-soi at icann.org no later than January 16, 2015. From anne-marie.eklund-lowinder at iis.se Tue Dec 16 07:36:49 2014 From: anne-marie.eklund-lowinder at iis.se (=?utf-8?B?QW5uZS1NYXJpZSBFa2x1bmQtTMO2d2luZGVy?=) Date: Tue, 16 Dec 2014 07:36:49 +0100 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: References: Message-ID: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> Hi all, Given that this work is supposed to be voluntary without compensation, who do you expect to be able to participate in the design team ready to serve and during what timeframe in 2015? Some of the people with the right experience, involved in the root zone signing (as for example TCR's) already today have trouble finding the money to take part in the key ceremonies every 6th month. Expecting professional and experienced people with expert knowledge about DNS, DNSSEC, key management among other things, to be able to spend about 15 per cent of their weekly working time without getting paid seems to me a bit optimistic. Furthermore the criteria states: "Applicants to the Design Team would be representing themselves, not any organization or interest with which they may be associated". From my point of view, that should mean that if I don't get support from the organization where I currently work, I will have to pay for my participation from my own pockets, and apply for leave from my duties with .SE while doing this. Even though I am very interested it is impossible financially. ICANN did use an experienced design team defining the design for the first root zone signing in 2010, I am a bit curious why ICANN aren't reusing the same design team, given the fact that they already know all about the details behind the choices made in 2010 and that the current design works well. Kind regards, Anne-Marie Eklund L?winder Chief Information Security Officer .SE (The Internet Infrastructure Foundation) Direct: +46(8)-452 35 17 | Mobile: +46(73)-43 15 310 PO Box 7399, SE-103 91 Stockholm, Sweden Twitter: @amelsec Visitors: Ringv?gen 100 http://www.iis.se/en/ > -----Ursprungligt meddelande----- > Fr?n: dns-wg [mailto:dns-wg-bounces at ripe.net] F?r KSK Rollover SOI > Skickat: den 12 december 2014 20:09 > Till: dns-wg at ripe.net > ?mne: [dns-wg] Solicitation for Statements of Interest regarding Root KSK > Rollover > > ICANN, as the IANA functions operator, in cooperation with Verisign as the > Root Zone Maintainer and the National Telecommunications Information > Administration (NTIA) as the Root Zone Administrator, together known as the > Root Zone Management (RZM) partners, seek to develop a plan for rolling > the DNS root zone key-signing key (KSK). The KSK is used to sign the root > zone zone-signing key (ZSK), which in turn is used to DNSSEC-sign the > Internet?s root zone. The Root Zone Partners are soliciting five to seven > volunteers from the community to participate in a Design Team to develop > the Root Zone KSK Rollover Plan (?The Plan?). These volunteers along with > the RZM partners will form the Design Team to develop The Plan. > > Individuals interested in volunteering approximately 5 hours per week for the > Design Team should consult the announcement: > > https://www.icann.org/en/system/files/files/ksk-soi-11dec14-en.pdf > > and submit their Statement of Interest to ksk-rollover-soi at icann.org no later > than January 16, 2015. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 182 bytes Desc: not available URL: From drc at virtualized.org Tue Dec 16 22:17:11 2014 From: drc at virtualized.org (David Conrad) Date: Tue, 16 Dec 2014 13:17:11 -0800 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> Message-ID: <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> [Apologies for any formatting weirdness -- having MUA issues] Hi Anne-Marie, > who do you expect to be able to participate in the design team ready to serve and during what timeframe in 2015? People with DNSSEC experience, particularly in areas related to rolling keys, who see it in their interests to help design the process by which the root zone KSK will be rolled in a safe, secure, stable, and resilient manner. Similarly to the IETF, W3C, other SDOs, etc., presumably those folks would either be supported by their organizations or they believe sufficiently strongly in the efforts to fund themselves. > Some of the people with the right experience, involved in the root zone signing (as for example TCR's) already today have trouble finding the money to take part in the key ceremonies every 6th month. As I've largely been away from this particular world since the root was signed, that is both unfortunate as well as surprising. IIRC, one of the prerequisites to becoming a TCR was an explicit acceptance and written assurance that they had sufficient support/funding to serve as a TCR. Back when there were discussions in the community about the TCRs, one of the considerations was that the community felt it might pose a conflict of interest for ICANN to fund the TCRs. Since the whole point of the TCRs was to instill trust within the community about the way the root KSK was managed, there was (rough) consensus that ICANN should not cover the volunteers' travel expenses. As I understand it, there is an effort underway to revise the agreement by which the TCRs participate to address the issues you raise. It is reassuring to understand that the community now trusts ICANN sufficiently to allow them to pay for travel expenses to KSK management-related events. > Expecting professional and experienced people with expert knowledge about DNS, DNSSEC, key management among other things, to be able to spend about 15 per cent of their weekly working time without getting paid seems to me a bit optimistic. Perhaps -- I am widely known as an optimist (:)). An alternative view is that experienced people with expert knowledge about DNS, DNSSEC, key management among other things are precisely the folks who are likely to depend strongly on the root zone KSK rollover being performed correctly and without incident, thus it would be in their best interests (and their company's interests) to participate, despite not being paid to provide their services to the community. In other areas of the global multi-stakeholder community, e.g., the various ACs, SOs, and their constituencies, and within the IETF, IAB, W3C, ISOC chapters, etc., I would note that people often volunteer far more than 15% of their time for the benefit of the Internet as a whole (at least as they see it). I'll admit some curiosity why you believe being on the design team for developing the plan to roll the root KSK is qualitatively different, but I imagine it's a matter of perspective. > Furthermore the criteria states: "Applicants to the Design Team would be representing themselves, not any organization or interest with which they may be associated". Yes. For sake of simplicity and to try to reduce fears that organizations were unfairly "stacking the deck", the decision was made to follow the IETF approach of asking people who are participating in this effort to be representative of themselves only. > From my point of view, that should mean that if I don't get support from the organization where I currently work, I will have to pay for my participation from my own pockets, and apply for leave from my duties with .SE while doing this. Even though I am very interested it is impossible financially. I'm disappointed to hear that and will admit some surprise that IIS does not see participating in the development of the root KSK rollover plan which could potentially impact the operation of .SE (and every other part of the DNS) in their interests. Again, I suspect it is a matter of perspective. For clarity, the way in which the KSK design team is being formed is loosely modeled after the way the IETF creates design teams for the creation of protocols. However, in contrast to the IETF, ICANN has stated that reasonable travel expenses can be covered. For a variety of reasons, I do not believe it would be possible for ICANN to pay community members for their participation in the design team (unless, of course, ICANN were to hire them as contractors or some such, but that gets into a whole different set of legalities and agreements). > ICANN did use an experienced design team defining the design for the first root zone signing in 2010, I am a bit curious why ICANN aren't reusing the same design team, given the fact that they already know all about the details behind the choices made in 2010 and that the current design works well. As I'm sure you're aware, the original design team for signing the root was formed from staff/contractors of ICANN, Verisign, and NTIA. Unlike the KSK rollover plan development, there was no direct community involvement in the design. In the intervening 5 years, a number of the individuals employed or contracted by the Root Management Partners have moved on to new positions/jobs and thus, the Root Management Partners are unable rebuild the previous team. For a number of reasons, including a desire to be more open and transparent, the decision was made to ask to have community volunteers participate in the design of the rollover plan. It is possible that the organization to which some of the original root signing design team now belong could permit those individuals to participate as volunteers in the development of the KSK rollover plan. Of course, if none of the community believe it is in their interests to participate, then we can always fall back to the previous model. I hope this clarifies. Happy to answer any further questions you might have. Regards, -drc (ICANN CTO - sending from my personal address as that's the one that's subscribed to the lists) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From bortzmeyer at nic.fr Wed Dec 17 12:34:59 2014 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Wed, 17 Dec 2014 12:34:59 +0100 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> References: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> Message-ID: <20141217113459.GA20963@nic.fr> On Tue, Dec 16, 2014 at 01:17:11PM -0800, David Conrad wrote a message of 141 lines which said: > Similarly to the IETF, W3C, other SDOs, etc., presumably those folks > would either be supported by their organizations or they believe > sufficiently strongly in the efforts to fund themselves. [...] > In other areas of the global multi-stakeholder community, e.g., the > various ACs, SOs, and their constituencies, and within the IETF, > IAB, W3C, ISOC chapters, etc., I would note that people often > volunteer far more than 15% of their time for the benefit of the > Internet as a whole The comparison seems inappropriate to me. When developping standards, you have time (you know what happens of IETF milestones...), you are not connected to a production system, you do not implement the standard (or you are paid for that) so you can be sure that operations people will take care of the details. It is less damaging if you do it badly. Here, we are talking of something far more operational, with possible direct consequences to one of the crucial components of DNS security. Frankly, I feel that ICANN claims about its commitment to "security and stability" are hard to take seriously, after this statement of interest. From drc at virtualized.org Wed Dec 17 14:46:09 2014 From: drc at virtualized.org (David Conrad) Date: Wed, 17 Dec 2014 08:46:09 -0500 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: <20141217113459.GA20963@nic.fr> References: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> <20141217113459.GA20963@nic.fr> Message-ID: <1E03BD40-6910-4ED6-9C60-791892F9991B@virtualized.org> Stephane, On Dec 17, 2014, at 6:34 AM, Stephane Bortzmeyer wrote: > Here, we are talking of something far more operational, with > possible direct consequences to one of the crucial components of DNS > security. No. What we're talking about is coming up with the plan (one might even say 'protocol') for how to roll the root key signing key. That plan, once vetted by the community and the folks who will actually be rolling the key, will later be operationalized. > Frankly, I feel that ICANN claims about its commitment to "security > and stability" are hard to take seriously, after this statement of > interest. I'm honestly confused: how can asking for volunteers to help come up with the plan to roll the key demonstrate ICANN isn't (or even is) committed to security and stability? Perplexed, -drc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From anne-marie.eklund-lowinder at iis.se Fri Dec 19 10:28:13 2014 From: anne-marie.eklund-lowinder at iis.se (=?iso-8859-1?Q?Anne-Marie_Eklund-L=F6winder?=) Date: Fri, 19 Dec 2014 10:28:13 +0100 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> References: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> Message-ID: <983F17705339E24699AA251B458249B5D22FA197F5@EXCHANGE2K7.office.nic.se> Hi David, This is my personal opinion. As Stephane Bortzmeyer already noted in another message, I would say doing things the IETF way is quite a different matter. If you believe you have the same time frame available to do the KSK rollover design project as it takes to put together and agree upon any protocol within the IETF, fine, but in my opinion you don't have that time. Regarding the financial issues, I clearly know what the criteria was, but it is still a fact that it is hard for some people (self-employed, far distant, other reasons) to raise the funding to contribute. I am sure Elise and Kim can brief you on that. Even if it is of the best interest for the best of the best people to be willing to contribute to a "rollover being performed correctly and without incident, thus it would be in their best interests (and their company's interests) to participate, despite not being paid to provide their services to the community" as you state it, I don't know how I shall interpret that. The biggest benefits will nevertheless be ICANN's, getting this important work done without having to spend money on designing one of the most important functions that ICANN have, a very important change that will potentially affect the entire Internet, should it go wrong. I am also disappointed, but for other reasons. Surely, you must be aware that .SE already contributes to ICANN in a number of different ways - including my contribution as a TCR. This has nothing to do with that. Merry Christmas! Anne-Marie -----Ursprungligt meddelande----- Fr?n: David Conrad [mailto:drc at virtualized.org] Skickat: den 16 december 2014 22:17 Till: Anne-Marie Eklund-L?winder Kopia: KSK Rollover SOI; dns-wg at ripe.net; ?mne: Re: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover * PGP Signed by an unknown key [Apologies for any formatting weirdness -- having MUA issues] Hi Anne-Marie, > who do you expect to be able to participate in the design team ready to serve and during what timeframe in 2015? People with DNSSEC experience, particularly in areas related to rolling keys, who see it in their interests to help design the process by which the root zone KSK will be rolled in a safe, secure, stable, and resilient manner. Similarly to the IETF, W3C, other SDOs, etc., presumably those folks would either be supported by their organizations or they believe sufficiently strongly in the efforts to fund themselves. > Some of the people with the right experience, involved in the root zone signing (as for example TCR's) already today have trouble finding the money to take part in the key ceremonies every 6th month. As I've largely been away from this particular world since the root was signed, that is both unfortunate as well as surprising. IIRC, one of the prerequisites to becoming a TCR was an explicit acceptance and written assurance that they had sufficient support/funding to serve as a TCR. Back when there were discussions in the community about the TCRs, one of the considerations was that the community felt it might pose a conflict of interest for ICANN to fund the TCRs. Since the whole point of the TCRs was to instill trust within the community about the way the root KSK was managed, there was (rough) consensus that ICANN should not cover the volunteers' travel expenses. As I understand it, there is an effort underway to revise the agreement by which the TCRs participate to address the issues you raise. It is reassuring to understand that the community now trusts ICANN sufficiently to allow them to pay for travel expenses to KSK management-related events. > Expecting professional and experienced people with expert knowledge about DNS, DNSSEC, key management among other things, to be able to spend about 15 per cent of their weekly working time without getting paid seems to me a bit optimistic. Perhaps -- I am widely known as an optimist (:)). An alternative view is that experienced people with expert knowledge about DNS, DNSSEC, key management among other things are precisely the folks who are likely to depend strongly on the root zone KSK rollover being performed correctly and without incident, thus it would be in their best interests (and their company's interests) to participate, despite not being paid to provide their services to the community. In other areas of the global multi-stakeholder community, e.g., the various ACs, SOs, and their constituencies, and within the IETF, IAB, W3C, ISOC chapters, etc., I would note that people often volunteer far more than 15% of their time for the benefit of the Internet as a whole (at least as they see it). I'll admit some curiosity why you believe being on the design team for developing the plan to roll the root KSK is qualitatively different, but I imagine it's a matter of perspective. > Furthermore the criteria states: "Applicants to the Design Team would be representing themselves, not any organization or interest with which they may be associated". Yes. For sake of simplicity and to try to reduce fears that organizations were unfairly "stacking the deck", the decision was made to follow the IETF approach of asking people who are participating in this effort to be representative of themselves only. > From my point of view, that should mean that if I don't get support from the organization where I currently work, I will have to pay for my participation from my own pockets, and apply for leave from my duties with .SE while doing this. Even though I am very interested it is impossible financially. I'm disappointed to hear that and will admit some surprise that IIS does not see participating in the development of the root KSK rollover plan which could potentially impact the operation of .SE (and every other part of the DNS) in their interests. Again, I suspect it is a matter of perspective. For clarity, the way in which the KSK design team is being formed is loosely modeled after the way the IETF creates design teams for the creation of protocols. However, in contrast to the IETF, ICANN has stated that reasonable travel expenses can be covered. For a variety of reasons, I do not believe it would be possible for ICANN to pay community members for their participation in the design team (unless, of course, ICANN were to hire them as contractors or some such, but that gets into a whole different set of legalities and agreements). > ICANN did use an experienced design team defining the design for the first root zone signing in 2010, I am a bit curious why ICANN aren't reusing the same design team, given the fact that they already know all about the details behind the choices made in 2010 and that the current design works well. As I'm sure you're aware, the original design team for signing the root was formed from staff/contractors of ICANN, Verisign, and NTIA. Unlike the KSK rollover plan development, there was no direct community involvement in the design. In the intervening 5 years, a number of the individuals employed or contracted by the Root Management Partners have moved on to new positions/jobs and thus, the Root Management Partners are unable rebuild the previous team. For a number of reasons, including a desire to be more open and transparent, the decision was made to ask to have community volunteers participate in the design of the rollover plan. It is possible that the organization to which some of the original root signing design team now belong could permit those individuals to participate as volunteers in the development of the KSK rollover plan. Of course, if none of the community believe it is in their interests to participate, then we can always fall back to the previous model. I hope this clarifies. Happy to answer any further questions you might have. Regards, -drc (ICANN CTO - sending from my personal address as that's the one that's subscribed to the lists) * Unknown Key * 0xF4FF8AD7 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 182 bytes Desc: not available URL: From drc at virtualized.org Fri Dec 19 16:54:04 2014 From: drc at virtualized.org (David Conrad) Date: Fri, 19 Dec 2014 10:54:04 -0500 Subject: [dns-wg] Solicitation for Statements of Interest regarding Root KSK Rollover In-Reply-To: <983F17705339E24699AA251B458249B5D22FA197F5@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B5D22E97650B@EXCHANGE2K7.office.nic.se> <1C39E8B3-93BB-4DC2-8AB9-C6D2DA09437B@virtualized.org> <983F17705339E24699AA251B458249B5D22FA197F5@EXCHANGE2K7.office.nic.se> Message-ID: <28D07C08-AEBA-4C70-89FF-EF1A2510F06A@virtualized.org> Anne-Marie, Please allow me to correct you on one particular item: On Dec 19, 2014, at 4:28 AM, Anne-Marie Eklund-L?winder wrote: > The biggest benefits will nevertheless be ICANN's, getting this important work done without having to spend money on designing one of the most important functions that ICANN have, I find it quite odd that you would assume ICANN would not need to spend money in this context based on asking the community for volunteers to participate. Since we take these sorts of things deadly seriously, ICANN will, of course, be spending quite significant amounts of money in designing, implementing, and executing the root KSK rollover, most likely including hiring outside contractors to augment our internal staff since a number of our internal resources have moved on (and I have not had time to build up a new team). ICANN staff and contractors will be working on the plan from ICANN's perspective, just as the folks from NTIA and Verisign will be working on the plan from their respective perspectives. As stated in the solicitation, the community volunteers will be working with individuals from ICANN, Verisign, and NTIA to develop the plan. The intent of the solicitation of community members to help develop the rollover plan is multifold, but includes a desire to obtain different and independent perspectives, benefit from others' experience, improve openness and transparency, and ensure that the plan meets the highest possible standards. To be explicit: the community members will NOT be supplanting ICANN, Verisign, and NTIA staff/contractors/appointees. I'll not comment further on your note. Regards, -drc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: