meeting summary: 27 July 2005

James M Galvin galvin at elistx.com
Fri Jul 29 11:03:50 EDT 2005 

DNSSEC Deployment Working Group
27 July 2005


PRESENT:
    Steve Crocker
    Jim Galvin

    Allison Mankin
    Amy Friedlander
    David Blacka
    Ed Lewis
    Hilarie Orman
    Jaap Akkerhuis
    Mark Kosters
    Mike St. Johns
    Olaf Kolkman
    Sam Weiler
    Scott Rose
    Suresh Krishnaswamy


REGRETS:


SUMMARY

* Quick review of DNS meetings next week

  DNSOP  is meeting Monday,    10:30 - 12:30pm
  DNSEXT is meeting Wednesday,  2:00 -  4:30pm

  DNSSEC Applications Sub-group will meet at 2pm on Tuesday
  DNSSEC Performance Sub-group will meet at 10:30am on Wednesday

  The DNSSEC sub-groups will meeting in Bill Manning's room, in Palais
  des Congres, Room 315.



  Scott Rose suggested the goal of the performance sub-group meeting 
is
  to create a common set of metrics for:

    applications
    resolvers

  And to agree on a base set of scenarios and tests for those metrics.
  Steve Crocker challenged the group to create metrics that could be
  understood and used by technical folks as well as provide basic
  performance information for more naive individuals.  In particular,
  the kind of "thumbnail" numbers that generalists want are:

    impact on memory, speed, and bandwidth



  Olaf Kolkman reported that he has been instrumenting the root server
  and the reverse lookup server at RIPE.NET.  He will present some
  detailed information at the IETF sub-group meeting, perhaps RSAC
  also.  The quick "bullet" summary is:

    CPU (speed) - negligible impact
    memory - well within boundaries
    bandwidth - does not exceed a factor of three increase

  Bandwidth is most affected by queries that ask the server to do a 
lot
  of the work, and then by the size of the key.  It is also the most
  variable metric and hard to predict.  For authoritative servers that
  are probably over-provisioned anyway, the factor 3 increase should 
not
  be an issue.  There may be some concern for caching forwarders, 
e.g.,
  large ISPs, big universities, etc.

  Hilarie Orman suggested that some clients will also be affected. 
Olaf
  did not immediately agree but noted that it is hard for him to
  assess.  He commented that DNS is likely to be a small part of any
  significant application.

  Allison Mankin observed that she met quite a number of people at the
  Joint Techs Workshop that believe they know something about DNSSEC 
and
  are comfortable telling people not to use DNSSEC for various "urban
  myth" reasons.  Thus, having real statistics from an expert will be
  very helpful.  Even an "article" explaining all the urban myths 
would
  be good.


* Joint Techs Workshop <http://jointtechs.es.net/Vancouver20051.htm>

  This is an international conference of networking engineers.  Of
  particular interest to DNSSEC is that the attendees are from
  research and education networks, and are well-versed and prepared. 
To
  put it another way, there were a lot of new faces.

  Allison Mankin, Bill Manning, and Amy Friedlander gave a 
presentation
  and a micro workshop on DNSSEC, including the DNSSEC demo.  There 
is a
  lot to say about the technical discussion that occurred.  Also, 
there
  is interest in having a 2-3 day "teach us how to do it" workshop in
  the February 2006 timeframe.


Allison Mankin is on the technical advisory committee for Internet2.
She had given them a presentation on DNSSEC and they suggested it 
should
be repeated at the Joint Techs Workshop.

There were about 25 people in attendance, including nasa.gov and a 
number
of college campuses.  It was a very active audience.  They knew about
DNS, had some familiarity with DNSSEC, and were eager to get up to
speed.

One suggestion was to make a video of the demo so it could be shown 
more
broadly and "scare" CISs.

The audience had very little knowledge of DNSSEC history and 
background,
so they included an explanation of basic principles.

An informal poll of the audience found that 15 supported a multi-day
workshop after the next Joint Techs Workshop in February 2006.

The audience in general was very articulate.  They know about the 
risks
they see and need to deal with, and they were very interested in how
DNSSEC could help them.

Olaf Kolkman asked if the audience understood that the demo only works
on "shared media" and presumes that caching servers and applications 
do
not do validations?  Allison responded that they understood the point,
as evidenced by the fact that they asked about it.  Some suggested 
that
you could put this on switched ethernet and still do some damage.

Bill Manning emphasized how easy it was to break 802.x, which "scared"
people even more.  Academics especially are worried about this because
they see a lot of risk on ethernet on their campuses.

There was some discussion of getting benefit from having major
applications using DNSSEC, e.g., MTAs, even if it was not otherwise
widely deployed.

Some asked about getting Microsoft to include access to DNSSEC queries
so that it could be on the desktop.  This resulted in some far 
reaching
discussions about user environments, particularly those on college
campuses.


The next Joint Techs Workshop is in New Mexico in February 2006.
Allison has been invited to give a plenary presentation and to add a
workshop on to the end of the conference.

More information about the Dnssec-deployment mailing list