meeting summary: 7 July 2004

[James M Galvin]

DNSSEC Deployment
7 July 2004


PRESENT:
    Steve Crocker
    Jim Galvin

    Amy Friedlander
    Bill Manning
    Doug Barton
    Jaap Akkerhuis
    KC Claffy
    Matt Larson
    Mike St. Johns
    Olaf Kolkman
    Paul Vixie
    Rob Austein
    Russ Mundy
    Scott Rose
    Steven Chueng
    Suresh Krishnaswamy
    Suzanne Woolf


REGRETS:
    Olafur Gudmundsson


SUMMARY

  -- Short Reports

Several people have received invitations from VeriSign to attend a
meeting on Saturday afternoon, July 31, just in front of the next IETF
(San Diego).  As far as we know, it is a business oriented meeting about
DNSSEC deployment.


  -- DNSSEC Deployment Roadmap

     Steve Crocker, Russ Mundy, and team have been meeting and will
     report on their current status.  The document is progressing and
     there are issues to be discussed.

Steve Crocker began by pointing out that there have been two DNSSEC
related activities progressing and he wants to bring them together.

During this teleconference, to date we have been focusing on the root
key management issue, more specifically key rollover.  In addition,
Steve, Russ Mundy, and a team of others have been meeting to put
together an overall roadmap for the deployment of DNSSEC.


Olaf Kolkman and Jaap Akkerhuis briefly mentioned the three groups they
knew about who were doing DNSSEC deployment when RFC2535 was first
published (3-4 years ago).

    RIPE NCC
    Swedish registry
    NL Net Labs

In general, they found that DNSSEC was not ready for deployment and they
guided the community back to "the drawing board."  They agreed to send a
note to the list with a brief description of the activities and the key
people who were involved.


Steve Crocker described the structure of the roadmap document that was
being prepared.

The goal is to provide a complete picture of what has to be done and to
identify the trouble spots.


Overall, there are three sections: the stuff "above", the stuff in the
"middle", and the stuff "below".


Starting with the "middle", the team has found it convenient to create
various sets of objects.  Listed below are examples in each set.  The
complete sets will be found in the document to be distributed soon to
the entire group.


  List of entities

    end user
    nearest resolver
    authoritative nameserver
       registry
       root
    registrar
    IANA


  Functional cycles - these are actions that take place across entities;
  these might also be called "use cases"

  Each entity has an entry point called a transaction.  The completion of
  a cycle is a transaction to an entity that results in one or more
  transactions to the next entity, etc., that ultimately results in a
  response (or not) by the initial entity.

    Querying for a domain name and getting response
    Updating a zone
    Changing keys in a zone

  There are currently 20 of these specified.  The team chose to err on
  the side of specifying more rather than trying to merge duplicate or
  related cycles at this time.


  Pieces inside each entity

    software
    policy
    training
    roles
    documentation


  List of concepts


Finally, there is, of course, the list of issues, known "hot spots",
problems, or differences of opinion.  There are currently 13.


For the stuff "above", there would be organizations and businesses.
"Below" means looking at the software and understanding what has to be
built.


Steve has the action item to make available a document the group can
review.


Reviewing the status of the root key management issue, Rob Austein noted
that we have two schemes (M-of-N and Revoke-bit) that are more alike
than different.  We need to bring them to the IETF and see what we can
do with them.  They will be discussed at the San Diego meeting.

DLV is a "look-aside" protocol.  It solves a different problem than the
other two.  It's better positioned as a complement rather than a
"competitor."


Rob Austein suggested a brief announcement at the DNSOPS Working Group
meeting about this group.  Ideally, keep it real short and provide
people with a pointer for more information.  The DNSOPS Working Group is
scheduled to meet on Wednesday at 1pm.


Bill Manning reminded everyone of the "DNSSEC room" that will be
available during the week of the IETF.  It will have a table,
powerstrips, chairs, flip charts, screen, and projector.  It may not
have network access.  The goal is to build a self-contained network for
show-and-tell of the two key management schemes: M-of-N and Revoke-bit.


Bill also described a fingerprinting software package that he has been
using.  It queries the authoritative servers in the reverse map to
unambiguously determine what software is running on the system.

Steve agreed this was interesting and will be helpful in measuring
progress.


Next week there will be a draft roadmap document with which to continue
the discussion.