meeting summary: 5 April 2005

James M Galvin galvin at
Sat Apr 9 13:37:10 EDT 2005

DNSSEC Deployment Working Group
5 April 2005

    Steve Crocker
    Jim Galvin

    Allison Mankin
    Amy Friedlander
    Bill Manning
    Ed Lewis
    Geoff Sisson
    Jaap Akkerhuis
    Johan Ihren
    Mark Kosters
    Olafur Gudmundsson
    Ram Mohan
    Russ Mundy
    Sam Weiler
    Scott Rose
    Steve Cheung
    Suzanne Woolf

    Paul Vixie
    Peter Koch


 -- Review of DNSSEC Workshop

The workshop was held earlier in the day during the Mar del Plata ICANN

Steve Crocker felt the workshop was very well received.  There was good
attendance: about 75 people, which is about 15% of the total ICANN
attendance.  The meeting was attention getting.

Steve gave a much shorter presentation to the GAC and encouraged them to
get involved.

He also gave a presentation to the GNSO.  There was pushback from this
group regarding overall cost of deployment.  However, the idea of having
a DNSSEC meeting for registries and registrars at the next two ICANN
meetings, respectively, was well received.  This means a registry
meeting in Luxembourg, coming up in mid-July.

Ed Lewis expressed concern that having a "meeting" with registries
without registrars would be awkward at best.  The fact is that even if
the registries deploy something it is wasted investment if the
registrars are not on board (in the gTLD registries).

Steve noted that the problem exists on both ends of the development
choice:  if you build from the core out it does not work if the edges
are not ready; if you build from the edge in you can not do it if the
core is not ready.

Ed noted that eve with that concern he did believe it would be good to
get the root zone signed, and the TLDs to sign their zones but not their
delegations.  Steve described this as "core service but not open for
business".  Then we need a plan with registrars and registrants to get
all the pieces working.

Steve asked if we will need more activity in the ccTLDs before the gTLDs
will get started.  Johan Ihren suggested that the ccTLDs are more
concerned with privacy or zone walking and, in general, were unlikely to
be active before the gTLDs.  The way to get the ccTLDs on board is to
get the Governments to push it.

Russ Mundy reported that krNIC suggested they had been having problems
with people impersonating large sections of the their DNS.  They were
anxious to have a signed zone for protection.  Bill Manning added that
several Korean domains have had signed zones linked with his engineering
system for several years.

Steve suggested that we need to get the presentations we have now to be
more modular so we can quickly and easily create future presentations as
we need them.  The hijack demo in particular is a great piece of
theater.  Johan mused that we could change the demo so that it changed
the ICANN web site by replacing all occurrences of ICANN to YOUCANN.

Russ Mundy reported speaking with an FBI agent who was at the meeting.
He expressed great interest and left his card offering to be as helpful
as possible if we ever needed anything.

Ram Mohan brought up Sabine Dolderer's (deNIC) comment that if you use a
VPN you do not need DNSSEC.  Allison Mankin added that a similar
argument is used regarding SSL/TLS.  However, that is not the point.
There is a great deal of other name resolution "stuff" that is not
covered by those protocols.

Johan agreed adding that our message needs to be that you need security
in the infrastructure to protect those things that are not security
aware.  Sabine has the advantage that she carries her protected
environment with her.

Allison added that she still has the problem of contacting the rest of
the Internet, whether at her desk or on her laptop.  That is the point
she needs to get.

Russ reported that he met a person from Australia that deals with their
CERT activities.  He sounded interested in doing things to help promote
the cause.

Amy Friedlander provided constructive, positive, and helpful comments
regarding almost every presentation in the Workshop.

More information about the Dnssec-deployment mailing list