meeting summary: 27 July 2005
James M Galvin
galvin at elistx.com
Fri Jul 29 11:03:50 EDT 2005
DNSSEC Deployment Working Group
27 July 2005
Mike St. Johns
* Quick review of DNS meetings next week
DNSOP is meeting Monday, 10:30 - 12:30pm
DNSEXT is meeting Wednesday, 2:00 - 4:30pm
DNSSEC Applications Sub-group will meet at 2pm on Tuesday
DNSSEC Performance Sub-group will meet at 10:30am on Wednesday
The DNSSEC sub-groups will meeting in Bill Manning's room, in Palais
des Congres, Room 315.
Scott Rose suggested the goal of the performance sub-group meeting
to create a common set of metrics for:
And to agree on a base set of scenarios and tests for those metrics.
Steve Crocker challenged the group to create metrics that could be
understood and used by technical folks as well as provide basic
performance information for more naive individuals. In particular,
the kind of "thumbnail" numbers that generalists want are:
impact on memory, speed, and bandwidth
Olaf Kolkman reported that he has been instrumenting the root server
and the reverse lookup server at RIPE.NET. He will present some
detailed information at the IETF sub-group meeting, perhaps RSAC
also. The quick "bullet" summary is:
CPU (speed) - negligible impact
memory - well within boundaries
bandwidth - does not exceed a factor of three increase
Bandwidth is most affected by queries that ask the server to do a
of the work, and then by the size of the key. It is also the most
variable metric and hard to predict. For authoritative servers that
are probably over-provisioned anyway, the factor 3 increase should
be an issue. There may be some concern for caching forwarders,
large ISPs, big universities, etc.
Hilarie Orman suggested that some clients will also be affected.
did not immediately agree but noted that it is hard for him to
assess. He commented that DNS is likely to be a small part of any
Allison Mankin observed that she met quite a number of people at the
Joint Techs Workshop that believe they know something about DNSSEC
are comfortable telling people not to use DNSSEC for various "urban
myth" reasons. Thus, having real statistics from an expert will be
very helpful. Even an "article" explaining all the urban myths
* Joint Techs Workshop <http://jointtechs.es.net/Vancouver20051.htm>
This is an international conference of networking engineers. Of
particular interest to DNSSEC is that the attendees are from
research and education networks, and are well-versed and prepared.
put it another way, there were a lot of new faces.
Allison Mankin, Bill Manning, and Amy Friedlander gave a
and a micro workshop on DNSSEC, including the DNSSEC demo. There
lot to say about the technical discussion that occurred. Also,
is interest in having a 2-3 day "teach us how to do it" workshop in
the February 2006 timeframe.
Allison Mankin is on the technical advisory committee for Internet2.
She had given them a presentation on DNSSEC and they suggested it
be repeated at the Joint Techs Workshop.
There were about 25 people in attendance, including nasa.gov and a
of college campuses. It was a very active audience. They knew about
DNS, had some familiarity with DNSSEC, and were eager to get up to
One suggestion was to make a video of the demo so it could be shown
broadly and "scare" CISs.
The audience had very little knowledge of DNSSEC history and
so they included an explanation of basic principles.
An informal poll of the audience found that 15 supported a multi-day
workshop after the next Joint Techs Workshop in February 2006.
The audience in general was very articulate. They know about the
they see and need to deal with, and they were very interested in how
DNSSEC could help them.
Olaf Kolkman asked if the audience understood that the demo only works
on "shared media" and presumes that caching servers and applications
not do validations? Allison responded that they understood the point,
as evidenced by the fact that they asked about it. Some suggested
you could put this on switched ethernet and still do some damage.
Bill Manning emphasized how easy it was to break 802.x, which "scared"
people even more. Academics especially are worried about this because
they see a lot of risk on ethernet on their campuses.
There was some discussion of getting benefit from having major
applications using DNSSEC, e.g., MTAs, even if it was not otherwise
Some asked about getting Microsoft to include access to DNSSEC queries
so that it could be on the desktop. This resulted in some far
discussions about user environments, particularly those on college
The next Joint Techs Workshop is in New Mexico in February 2006.
Allison has been invited to give a plenary presentation and to add a
workshop on to the end of the conference.
More information about the Dnssec-deployment