[dnssec-deployment] SEPs and TARs

Scott Rose scottr at nist.gov
Wed Apr 1 08:49:35 EDT 2009 

Edward Lewis wrote:

> Getting to what I wanted to say about SEPs and TARs, from the
> perspective of someone who will be issuing SEPs (at some point in the
> future):
> 
> 1) Before I go into production mode, I want to test the impact of my
> SEPs in what ever TARs I believe "matter."  (What is meant by "matter"
> I'll leave to your imagination for the time being.)
> 
The .gov TLD tried to do this, but settled on not publishing the SEP key
to a TAR (the ITAR in this case) until some basic testing was done and
upper management signed off on it.

> 2) In general, I'll take any means to prevent any third party from
> preventing the validation of data in my TLD(s) that should otherwise
> pass muster.  This is a goal, I realize it is not possible to cover all
> bases, but I would be remiss if I don't try to the best of ability.
> 
> 3) If I encounter a TAR that causes validation for some of the relying
> parties out there, I will take steps to prevent that TAR from
> redistributing my SEP.  I.e., like maybe ask nicely.
> 
Luckily most people operating crawlers (or just querying) asked first,
otherwise the .gov TLD operators would have to have done the same.

> 4) If there is a systemic problem in deploying DNSSEC, and the problem
> doesn't quite outweigh the reasons to deploy, I will arm my help desk
> with answers to the  questions ("why can't I resolve .tld names?") that
> we will get.  This is why I want to drill into any outage we encounter now.
> 
>From what I have heard, .gov and .mil both have programs in place to
assist their respective help desk operators field DNSSEC related
questions.  I've been thinking of this at times - I know there could be
some tools for help desk staff to diagnose some DNSSEC problems except
for the fact that there is not a good way to discover what trust anchors
are being used by a remote validator.  This goes to your #4 below.

> Those are plans I have for the time being.  Other TLDs may adopt similar
> goals - in fact - I would like to hear other's goals that I might want
> to adopt.
> 
> Before closing, requirements I would place on TARs include the following:
> 
> 1) Provide a test environment for SEP provisioning and the resulting
> impact on relying parties
> 
> 2) Only redistribute SEP information with the expressed consent of the
> SEP owner
> 
> 3) Provide an interactive interface for the provisioning (submission to
> TAR) of SEP data
> 

Sounds like #2 and #3 go together.  Domain holders submit SEP key
material to a TAR, and need a way to do so.

> 4) Allow relying parties to identify the TAR from which they obtained
> the SEP, to help in debugging
> 

I think this requirement should be a higher priority.  Not sure how best
to address it right now, but thinking about it.

Scott

-- 
----------------------------------------
Scott Rose            Computer Scientist
NIST
ph: +1 301-975-8439
scott.rose at nist.gov

http://www-x.antd.nist.gov/dnssec
http://www.dnsops.gov/
-----------------------------------------

More information about the Dnssec-deployment mailing list