meeting summary: 7 July 2004
James M Galvin
galvin at elistx.com
Thu Jul 8 17:53:57 EDT 2004
7 July 2004
Mike St. Johns
-- Short Reports
Several people have received invitations from VeriSign to attend a
meeting on Saturday afternoon, July 31, just in front of the next IETF
(San Diego). As far as we know, it is a business oriented meeting about
-- DNSSEC Deployment Roadmap
Steve Crocker, Russ Mundy, and team have been meeting and will
report on their current status. The document is progressing and
there are issues to be discussed.
Steve Crocker began by pointing out that there have been two DNSSEC
related activities progressing and he wants to bring them together.
During this teleconference, to date we have been focusing on the root
key management issue, more specifically key rollover. In addition,
Steve, Russ Mundy, and a team of others have been meeting to put
together an overall roadmap for the deployment of DNSSEC.
Olaf Kolkman and Jaap Akkerhuis briefly mentioned the three groups they
knew about who were doing DNSSEC deployment when RFC2535 was first
published (3-4 years ago).
NL Net Labs
In general, they found that DNSSEC was not ready for deployment and they
guided the community back to "the drawing board." They agreed to send a
note to the list with a brief description of the activities and the key
people who were involved.
Steve Crocker described the structure of the roadmap document that was
The goal is to provide a complete picture of what has to be done and to
identify the trouble spots.
Overall, there are three sections: the stuff "above", the stuff in the
"middle", and the stuff "below".
Starting with the "middle", the team has found it convenient to create
various sets of objects. Listed below are examples in each set. The
complete sets will be found in the document to be distributed soon to
the entire group.
List of entities
Functional cycles - these are actions that take place across entities;
these might also be called "use cases"
Each entity has an entry point called a transaction. The completion of
a cycle is a transaction to an entity that results in one or more
transactions to the next entity, etc., that ultimately results in a
response (or not) by the initial entity.
Querying for a domain name and getting response
Updating a zone
Changing keys in a zone
There are currently 20 of these specified. The team chose to err on
the side of specifying more rather than trying to merge duplicate or
related cycles at this time.
Pieces inside each entity
List of concepts
Finally, there is, of course, the list of issues, known "hot spots",
problems, or differences of opinion. There are currently 13.
For the stuff "above", there would be organizations and businesses.
"Below" means looking at the software and understanding what has to be
Steve has the action item to make available a document the group can
Reviewing the status of the root key management issue, Rob Austein noted
that we have two schemes (M-of-N and Revoke-bit) that are more alike
than different. We need to bring them to the IETF and see what we can
do with them. They will be discussed at the San Diego meeting.
DLV is a "look-aside" protocol. It solves a different problem than the
other two. It's better positioned as a complement rather than a
Rob Austein suggested a brief announcement at the DNSOPS Working Group
meeting about this group. Ideally, keep it real short and provide
people with a pointer for more information. The DNSOPS Working Group is
scheduled to meet on Wednesday at 1pm.
Bill Manning reminded everyone of the "DNSSEC room" that will be
available during the week of the IETF. It will have a table,
powerstrips, chairs, flip charts, screen, and projector. It may not
have network access. The goal is to build a self-contained network for
show-and-tell of the two key management schemes: M-of-N and Revoke-bit.
Bill also described a fingerprinting software package that he has been
using. It queries the authoritative servers in the reverse map to
unambiguously determine what software is running on the system.
Steve agreed this was interesting and will be helpful in measuring
Next week there will be a draft roadmap document with which to continue
More information about the Dnssec-deployment