[dnssec-deployment] DNSSEC on NANOG

Thierry Moreau thierry.moreau at connotech.com
Thu Jun 15 07:10:20 EDT 2006

Edward Lewis wrote:

> At 12:39 -0400 6/14/06, Thierry Moreau wrote:
>> Then we need to make DNSSEC more effective in providing cryptographic
>> assurance for data retrieved from the DNS global distributed database.
> Shoot, if after a decade plus of "us" trying to do just that and seeing 
> where we are, either it is a case of a poor plan or poor execution.

About the "I" portion of "us", here are some milestones towards 
completing the plan (i.e. defining automated trust anchor key rolover 
and implied TAK management procedures) and attempting to assist execution:

   (A) Produced the drafts draft-moreau-dnsext-sdda-rr and 
draft-moreau-dnsext-takrem-dns. Currently at revision -02, with 
aditional documents available on CONNOTECH web site.

   (B) Contributed to the initial movement for 
draft-ietf-dnsext-rollover-requirements, then abstaining to contribute 
for sake of achieving faster completion of this work (I would say that 
timeliness is more important than technical quality for this 
requirements document).

   (C) Attempted to address the cost structure and business model for 
DNSSEC deployment, e.g. in the present forum.

   (D) Raised an issue with DNSEXT chairs, and informally with IAB, 
about the lack of consideration for DNS root operational contingencies 
in the current DNSEXT work for trust anchr key management (the link 
between ICANN-Verisign-Doc and IETF is through the IAB).

   (E) Delivered a licensing framework document to ICANN, perhaps too 
early since the root-signing "highlevel joint technical operations team" 
(created by the "Root Server Management Transition Completion 
Agreement") seems delayed until DoC say something about the 
ICANN-Verisign agreement.

Recall that newcomers to DNSSEC will quickly identify the trust anchor 
key configuration issue as one of the first deployment step, and perhaps 
*the* security critical deployment step, for which "we" don't have an 
agreed-upon solution.

In this context, your comment "Making DNSSEC easier or cheaper is not 
going to help" triggered my reply to make it more effective, which I am 
attempting by making the TAKREM technology available for DNSSEC 
automated trust anchor key rollover procedures.

Other organizations committed resources to the development and early 
deployment of DNSSEC. This, plus the ever-increasing awareness of the 
plain DNS integrity vulnerability, make me not totally pessimistic.



- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com

More information about the Dnssec-deployment mailing list