[dnssec-deployment] DNSSEC on NANOG
thierry.moreau at connotech.com
Thu Jun 15 07:10:20 EDT 2006
Edward Lewis wrote:
> At 12:39 -0400 6/14/06, Thierry Moreau wrote:
>> Then we need to make DNSSEC more effective in providing cryptographic
>> assurance for data retrieved from the DNS global distributed database.
> Shoot, if after a decade plus of "us" trying to do just that and seeing
> where we are, either it is a case of a poor plan or poor execution.
About the "I" portion of "us", here are some milestones towards
completing the plan (i.e. defining automated trust anchor key rolover
and implied TAK management procedures) and attempting to assist execution:
(A) Produced the drafts draft-moreau-dnsext-sdda-rr and
draft-moreau-dnsext-takrem-dns. Currently at revision -02, with
aditional documents available on CONNOTECH web site.
(B) Contributed to the initial movement for
draft-ietf-dnsext-rollover-requirements, then abstaining to contribute
for sake of achieving faster completion of this work (I would say that
timeliness is more important than technical quality for this
(C) Attempted to address the cost structure and business model for
DNSSEC deployment, e.g. in the present forum.
(D) Raised an issue with DNSEXT chairs, and informally with IAB,
about the lack of consideration for DNS root operational contingencies
in the current DNSEXT work for trust anchr key management (the link
between ICANN-Verisign-Doc and IETF is through the IAB).
(E) Delivered a licensing framework document to ICANN, perhaps too
early since the root-signing "highlevel joint technical operations team"
(created by the "Root Server Management Transition Completion
Agreement") seems delayed until DoC say something about the
Recall that newcomers to DNSSEC will quickly identify the trust anchor
key configuration issue as one of the first deployment step, and perhaps
*the* security critical deployment step, for which "we" don't have an
In this context, your comment "Making DNSSEC easier or cheaper is not
going to help" triggered my reply to make it more effective, which I am
attempting by making the TAKREM technology available for DNSSEC
automated trust anchor key rollover procedures.
Other organizations committed resources to the development and early
deployment of DNSSEC. This, plus the ever-increasing awareness of the
plain DNS integrity vulnerability, make me not totally pessimistic.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Canada H2M 2A1
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
More information about the Dnssec-deployment