[dnssec-deployment] meeting announcement: 16 January 2008
James M Galvin
galvin at elistx.com
Mon Jan 14 16:20:46 EST 2008
This meeting will be held at the usual time of:
0700 Los Angeles, San Francisco
0800 Salt Lake City
0000 Tokyo (the next day)
0200 Melbourne (the next day)
The usual teleconference logistics are as follows. These do not
change. You will hear music until the moderator joins.
USA Toll Free Number: +1 888-221-7341
USA Toll Number: +1 973-935-2305
Conference Code: 599 786 #
Leader: James Galvin
employed by ICANN if speaking to an operator
Jabber: dnssec-deployment at conference.jabber.org
This is a public room.
If your phone does not have a mute capability you can use "*6"
to mute and "#6" to unmute your connection.
1. ISC SIP Bridge - contact me for SIP identifiers
* Holes in the hiararchy
There are two interrelated topics to consider. The first is
counting the number of signed zones, with particular attention to
counting the number of secure entry points, i.e., signed zones
without a signed parent. The second topic is how to get the
keying information for the secure entry points into a trust anchor
With respect to counting signed zones, there are at least two
regular surveys. However, these surveys do not result in the same
numbers. We are interested in understanding how these surveys
relate to each other and how to interpret the numbers.
It is interesting to note that the surveys provide one view of the
number of secure entry points and, for example, ISC's DLV registry
operation provides a different view. As is obvious, the process
for being included in the ISC's DLV registry is considerably
different and stricter than simply being counted in a survey. Do
we know if every secure entry point in the ISC DLV is included in
More generally, the focus of the second topic is on the
provisioning of trust anchor repositories but not on the serving
side. As a rough guess, the expected number of secure entry
points with unsigned parents will grow to be somewhere in the
broad range of 10,000 to 1,000,000.
Enterprises will sign their zones, or registrars and other service
providers will sign zones on behalf of the customers, and their
keys will need to be published. Whenever a TLD is ready to accept
the keys from its registrants, the number of secure entry points
with unsigned parents will drop.
The largest component in this equation is, of course, .COM, but it
is not the only one. Other gTLDs and probably many ccTLDs will
have children who sign their zones in advance of the parent.
What will it take to accommodate this number of secure entry
points? Will registrars be able to pass along the keying
information of their children in the same fashion they pass along
the other components of their customers' configuration? What
relationships and operational arrangements are required?
Three speakers have agreed to join us and start the discussion.
Lutz Donnerhacke, IKS-Jena
Eric Osterweil, SecSpider
Joao Damas, DLV
More information about the Dnssec-deployment