headers
Johan Ihren | 7 Oct 2002 11:17
Picon
Favicon

Interim signing of the root zone.


Hi folks,

I aubmitted this to the ID-editor just before the weekend, so it
should show up anytime now. I'd be most happy to hear comments from
others. 

This is something that has to be done sooner or later and I think that
in this case sooner is to be preferred. 

Regards,

Johan Ihrén
Autonomica
-----------------

Internet Draft                                          Johan Ihren
draft-ihren-dnsop-interim-signed-root-00.txt            Autonomica
October 2002
Expires in six months

         An Interim Scheme for Signing the Public DNS Root

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that
(Continue reading)

Permalink | Reply | 16 comments |
headers
Bill Manning | 7 Oct 2002 20:10
Picon
Favicon

Re: Interim signing of the root zone.

 some concerns:

	DS only works in snapshot code.  And the publicly availble
	snapshots have known, serious operational problems. We -REALLY-
	need more stable code before committing this to production.

	there are some indications from the root testbed that there
	are fatal interactions with some released versions of DNS
	code.  further controlled testing should be done.

	the selection of RIRs.  RIRs -DO- have the DNS as a primary
	field of activity.  (see in-addr.arpa.) The holders of
	forward space (.SE, DE, NL, etc.) become disinfranchised
	"customers". 

	"sufficient number" and "out-of-band" are concepts that
	really need some concrete recommendations.

	key duration should be better fleshed out. Experiences from
	the existing testbed may be useful.

	key publication methods have been explored but do need further
	work.  

%    The same is true for the need for operational experience with a
%    signed root zone. There is no method of acquiring this experience
%    except by signing the root zone, so that is what is being proposed.

	this is not exactly true. 
	and your risk-analysis does not exactly match empirical evidence.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ólafur Guðmundsson | 8 Oct 2002 04:45

Re: Interim signing of the root zone.

At 14:10 2002-10-07, Bill Manning wrote:
>  some concerns:
>
>         DS only works in snapshot code.  And the publicly availble
>         snapshots have known, serious operational problems. We -REALLY-
>         need more stable code before committing this to production.

Bill this is version 00 of the draft, your concerns are noted but
this particular experiment is not starting next week or next month.
This is the documentation for the experiment and Johan is seeking feedback.

>         there are some indications from the root testbed that there
>         are fatal interactions with some released versions of DNS
>         code.  further controlled testing should be done.

Agreed.

>         the selection of RIRs.  RIRs -DO- have the DNS as a primary
>         field of activity.  (see in-addr.arpa.) The holders of
>         forward space (.SE, DE, NL, etc.) become disinfranchised
>         "customers".

RIR are geographically competent operators for this experiment,
for future production Layer 9 will become involved.

>         "sufficient number" and "out-of-band" are concepts that
>         really need some concrete recommendations.

Yes, suggestions.
(Continue reading)

Permalink | Reply | 13 comments |
headers
Bill Manning | 8 Oct 2002 05:37
Picon
Favicon

Re: Interim signing of the root zone.

% At 14:10 2002-10-07, Bill Manning wrote:
% >  some concerns:
% >
% >         DS only works in snapshot code.  And the publicly availble
% >         snapshots have known, serious operational problems. We -REALLY-
% >         need more stable code before committing this to production.
% 
% Bill this is version 00 of the draft, your concerns are noted but
% this particular experiment is not starting next week or next month.
% This is the documentation for the experiment and Johan is seeking feedback.

	documentation for -an- experiment.  an experimental setup has 
	existed and been running for over 2 years.  Signing the root
	zone in this testbed has been operational for three months,
	nearly as long as ther has been DS capable code.  I remain 
	leary of experimentation with the live system.

% >         the selection of RIRs.  RIRs -DO- have the DNS as a primary
% >         field of activity.  (see in-addr.arpa.) The holders of
% >         forward space (.SE, DE, NL, etc.) become disinfranchised
% >         "customers".
% 
% RIR are geographically competent operators for this experiment,
% for future production Layer 9 will become involved.

	"geographically competent"  - now there's a turn of phrase :)
	-IF- this is really an experiment, with the live system,
	then bounding the experiment is prudent.  I'd be -very-
	leary of giving even the suggestion of "early-implementor"
	bias to one vector of the possible keyholder pool.
(Continue reading)

Permalink | Reply | 10 comments |
headers
Bill Manning | 8 Oct 2002 05:45
Picon
Favicon

Re: Interim signing of the root zone. (fwd)

	documentation for -an- experiment.  an experimental setup has 
	existed and been running for over 2 years.  Signing the root
	zone in this testbed has been operational for three months,
	nearly as long as ther has been DS capable code.  I remain 
	leary of experimentation with the live system.
...
	So... why are we considering experimenting with the live,
	production root system at this time?  IMHO, this is lunacy.
	We have a working, experimental system in play where most
	(all) of these issues can be tested.  Folks that have 
	serious commercial interests in a stable system will not be 
	amused when we start experimenting with the systems that
	they depend on.

%          Olafur

So, who is playing in this experimental testbed?

	some of the root operators - holding the experimental root
	some of the tld holders    - com, net, org, nl, mil, int are all signed
	some third/fourth level zones

we have already uncovered fatal interactions with signed zones and 9.2.1
caching servers.  Indications of simialr failures with v8 caching servers
are being evaluated.  

Its rougly outlined in http://www.isi.edu/otdr   and has been testing IPv6
transport for the last three years.  If there are folks who wish to 
participate, please let me know and we can provide the "bits" needed to
for active participation.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jim Fleming | 8 Oct 2002 05:53
Picon

Re: Interim signing of the root zone.

From: "Bill Manning" <bmanning <at> ISI.EDU>
"Folks that have serious commercial interests in a stable system will not be
amused when we start experimenting with the systems that they depend on.
======

The entire, "toy", 32-bit, experimental, proof-of-concept network is the perfect place to play.
Companies with a serious commercial interest have all of the labs and facilities they need to
fully test software and systems before they are deployed. The only amusement is that people
from the experimental networks take themselves so seriously. The commercial world does not.

Jim Fleming
2002:[IPv4]:000X:03DB:...IPv8 is closer than you think...IPv16 is even closer...
http://www.ietf.com
http://www.iana.org/assignments/ipv4-address-space
http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt
http://ipv8.dyndns.tv
http://ipv8.dyns.cx
http://ipv8.no-ip.com
http://ipv8.no-ip.biz
http://ipv8.no-ip.info
http://ipv8.myip.us
http://ipv8.dyn.ee
http://ipv8.community.net.au

----- Original Message -----
From: "Bill Manning" <bmanning <at> ISI.EDU>
To: "Ólafur Guðmundsson" <ogud <at> ogud.com>
Cc: <bmanning <at> ISI.EDU>; <johani <at> autonomica.se>; <dnsop <at> cafax.se>
Sent: Monday, October 07, 2002 10:37 PM
Subject: Re: Interim signing of the root zone.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jim Fleming | 8 Oct 2002 15:01
Picon

Re: That stability thing again

----- Original Message ----- 
From: "Richard J. Sexton Ph.D. J.D." <richard <at> vrx.net>
Sent: Monday, October 07, 2002 11:31 PM
Subject: That stability thing again

> >"Folks that have serious commercial interests in a stable system will not be
> >amused when we start experimenting with the systems that they depend on.
> 
> Oh, it's ok, they're used to it by now.
> http://www.newscientist.com/news/news.jsp?id=ns99992883
> 
> 

If the U.S. Government concludes (based on bad advice) that their aging, 32-bit, legacy root servers
can only handle the load of 256 TLDs, then the 256 Best-of-Breed from the 2,048 Best-of-Breed can
be selected. It would be nice to think that some fairness was used and each of the 8 Regions would be
able to select (vote for) 32 TLDs as Best-of-Breed.
http://www.ntia.doc.gov/ntiahome/domainname/130dftmail/unir.txt

One can also use commercial statistics...ICANN of course ignored those with the selection of .COOP
0:203 ONLINE....Still the People's Choice...
http://www.icann.org/comments-mail/icann-current/msg00342.html
10514 INC - 17,686 matches for -INC
9264 ONLINE - 45,049 matches for -ONLINE
6472 USA - 13,447 matches for -USA
4481 GROUP - 12,273 matches for -GROUP 
4101 WEB - 10,182 matches for -WEB
3891 TECH - 7,950 matches for -TECH
2762 DESIGN - 11,156 matches for -DESIGN
2570 SYSTEMS - 6,765 matches for -SYSTEMS
(Continue reading)

Permalink | Reply | 1 comment |
headers
Brad Knowles | 9 Oct 2002 01:09
Picon

Re: That stability thing again

At 8:01 AM -0500 2002/10/08, Jim Fleming wrote:

>  If the U.S. Government concludes (based on bad advice) that their
>  aging, 32-bit, legacy root servers can only handle the load of
>  256 TLDs,

	The US government doesn't own the root servers.  The root server 
operators own them, and provide this service to the community free of 
charge.  Indeed, in some ways, I think that they might be better 
managed if someone did pay for the service, so that we could hold 
them more accountable for failures to do their job properly.

>  Clearly, some of the so-called ccTLDs would have to be removed
>  to make room for the more marketable (popular) TLDs.

	This is taken out of context.  Moreover, there is no indication 
that these surveys were conducted with any kind of regularity that 
would lend any real meaning to the results.  Stick your head into the 
sand and ask the sand fleas what they think, and you'd be as likely 
to get a reasonable response.

>  Some people view LESS as MORE stable. They do not understand
>  the Internet, but, that does not stop them from flying around
>  the world attempting to INCREASE the membership in their
>  EXCLUSIVE club. Their hypocrisy has no limits...

	I'm sorry.  There are some words and phrases here which would 
seem to make sense when isolated, but taken as a whole this is a 
complete non-sequitur.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brad Knowles | 9 Oct 2002 00:56
Picon

Re: Interim signing of the root zone.

At 8:37 PM -0700 2002/10/07, Bill Manning wrote:

>  	So... why are we considering experimenting with the live,
>  	production root system at this time?  IMHO, this is lunacy.

	At some point, you have to stop testing in an isolated lab and 
start doing things in the real world.  I don't know if we are now at 
that point, but this is a good time to start talking about this issue.

--

-- 
Brad Knowles, <brad.knowles <at> skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Permalink | Reply | 6 comments |
headers
Brad Knowles | 9 Oct 2002 01:03
Picon

Re: Interim signing of the root zone.

At 10:53 PM -0500 2002/10/07, Jim Fleming wrote:

>  The entire, "toy", 32-bit, experimental, proof-of-concept network
>  is the perfect place to play.

	Toy?  Are you serious or just sarcastic?

>  Companies with a serious commercial interest have all of the
>  labs and facilities they need to fully test software and
>  systems before they are deployed.

	They may have the facilities, but even they need help in 
performing full interoperability and functionality testing of this 
kind of scale.

>                                    The only amusement is that
>  people from the experimental networks take themselves so
>  seriously. The commercial world does not.

	The commercial world doesn't take them seriously, or doesn't take 
itself seriously?

	Both statements are sufficiently ludicrous that I won't bother 
saying anything else.

--

-- 
Brad Knowles, <brad.knowles <at> skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
(Continue reading)

Permalink | Reply | 1 comment |

Gmane