Domain Name Server Operations (dnsop)

David Meyer | 2 Nov 2004 16:09

updated DNSOP agenda for IETF 61


Domain Name System Operations (dnsop)

MONDAY, November 8, 2004 (1300-1500)
=====================================

CHAIR(s): David Meyer <dmm <at> 1-4-5.net>
          Rob Austein <sra <at> isc.org>

AGENDA

 o Administriva						 5 minutes

   - Mailing list: majordomo <at> lists.uoregon.edu
     subscribe dnsop

   - Scribe?

   - Blue Sheets

 o Agenda Bashing					 5 minutes
   Meyer                                           

 o Review and status of work items			 

   Active Drafts
   -------------
   draft-ietf-dnsop-dnssec-operational-practices-02.txt   5 minues
    Kolkman et al
   draft-ietf-dnsop-inaddr-required-05.txt                5 minutes

(Continue reading)

Tim Chown | 8 Nov 2004 19:42

Picon

On dontpublish-unreachables

Hi,

Regarding the raising of draft-ietf-dnsop-dontpublish-unreachable-03, it
was asked where ureachables might be placed in the DNS, I think one area 
where this was suggested as possible was by some people in the IPv6 WG 
where the new "guaranteed" unique ULAs may be published since (in theory) 
there is no ambiguity with the ULAs.

I agree with Alain that this still seems undesirable.

The 03 version talks about deprecated IPv6 items, such as site-locals
and IPv4 compatibles.

(Also I see no 04 version at watersrings:
http://www.watersprings.org/pub/id/draft-ietf-dnsop-dontpublish-unreachable-03.txt, is there
an 04 that they didn't pick up since Feb'02?)

--

-- 
Tim
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Rob Austein | 8 Nov 2004 22:09

Re: On dontpublish-unreachables

At Mon, 8 Nov 2004 18:42:05 +0000,  Tim Chown wrote:
> 
> (Also I see no 04 version at watersrings:
> http://www.watersprings.org/pub/id/draft-ietf-dnsop-dontpublish-unreachable-03.txt,
> is there an 04 that they didn't pick up since Feb'02?)

-04 is just the "this draft has expired" tombstone.
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Samuel Weiler | 9 Nov 2004 21:51

Comments on key rollover req. draft

This document has a number of unjustified and mutually exclusive
requirements.  To wit:

   From Section 2: "... the child zone must contact its parent zone
   and must notify it about the KSK change(s)."  Some proposed schemes
   involve the parent polling the child.  Those schemes may be
   unwise, but "must" seems overbroad and certainly unjustified by
   the text in this document.

   Later in section 2: "the security of these communications [in
   manual rollovers] is out of scope of DNSSEC."  Not necessarily.  A
   child might manually add new keys, intending that they be
   authenticated in-band, then contact the parent out-of-band to
   trigger the update (a process that may not need to be secured),
   then the parent fetches the key keys in-band.

   In section 3, I'm not sure what is meant by "Every RR MUST be
   verifiable at any time..."  In any case, I hope "every RR" does not
   include "every RRSIG" -- I'd like to allow publication of RRSIGs
   even when the DNSKEYs that created them aren't available.

   Section 4 has an unjustified requirement for in-band
   authentication: "Every exchanged message MUST be authenticated and
   the authentication tool MUST be a DNSSEC tool..."  Unless we're
   limiting this document's scope to in-band rollover, this is grossly
   inappropriate.

   The next paragraph of section 4 has another unjustified
   requirement: "... a child zone,... MUST notify its parent
   zone...".  Why is this document trying to disallow parent polling?

(Continue reading)

Scott Rose | 10 Nov 2004 16:13

RFC 2541 and dnssec operational practices draft

As mentioned in the WG meeting:  Looking back on the RFC2541 draft, it
mostly deals with key generation and lifetime requirements.
draft-ietf-dnsop-dnssec-operational-practices-02 covers much more ground
with operation procedures for key rollovers.

RFC 2541 also gives hard numbers for key length minimums and lifetimes,
which may not always hold in different deployments.  For example:
Transaction security keys have a suggesed max lifetime of 36 days.  It also
only addresses RSA/MD5 which is now not recommeded for DNSSEC.  So while a
initial document for DNSSEC deployment, it does not address several key
items in maintaining a secure tree.

I would therefore like to see the new draft obsolete RFC2541 and progress as
an informational RFC.

Scott

.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Olaf M. Kolkman | 10 Nov 2004 16:57

Picon

Re: RFC 2541 and dnssec operational practices draft

Scott Rose wrote:

>
>I would therefore like to see the new draft obsolete RFC2541 and progress as
>an informational RFC.
>
>  
>
Where 'the new draft' refers to dnssec-operational-practices.

Miek, Rip and myself are looking at how we can merge the relevant parts. 
If the WG thinks this is a good idea we'll proceed.  (That is, please 
shout "STOP" asap if you do not want us to put it in operational 
practices.  )

--Olaf
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Scott Rose | 10 Nov 2004 17:06

RE: RFC 2541 and dnssec operational practices draft

> -----Original Message-----
> From: Olaf M. Kolkman [mailto:olaf <at> ripe.net]
>
> Miek, Rip and myself are looking at how we can merge the relevant parts.
> If the WG thinks this is a good idea we'll proceed.  (That is, please
> shout "STOP" asap if you do not want us to put it in operational
> practices.  )
>

I am not yelling stop yet.  I would suggest dropping all language regarding
specific key lengths and lifetimes.  Or at least make it clear they are
recommend values and can be superceeded by local policy.  It would also be
nice to find a good reference to back up any recommended values - especially
when it comes to key length.  Some people take that serious for some strange
reason 

Scott

> --Olaf
>

.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Miek Gieben | 11 Nov 2004 15:06

Re: Comments on key rollover req. draft

[On 09 Nov,  <at>  21:51, Samuel wrote in "[dnsop] Comments on key rollov ..."]
> This document has a number of unjustified and mutually exclusive
> requirements.  To wit:

in the dnssec-operational draft, we have the following:

3.3.4  Automated Key Rollovers

   As keys must be renewed periodically, there are some motivation to
   automate the rollover process (also see [12])

   o  ZSK rollovers are easy to automate as only the local zone is
      involved.
   o  A KSK rollover needs interaction between the parent and child.
      Data exchange is needed to provide the new keys to the parent,
      consequently, this data must be authenticated and integrity must
      be guaranteed in order to avoid attacks on the rollover.
   o  All time and TTL considerations presented in Section 3.3 apply to
      an automated rollover.

which in my mind sums it all up, so I would favor dropping the key req.
draft,

grtz Miek
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

(Continue reading)

Ben Laurie | 11 Nov 2004 17:14

Picon

Re: Comments on key rollover req. draft

Miek Gieben wrote:
> [On 09 Nov,  <at>  21:51, Samuel wrote in "[dnsop] Comments on key rollov ..."]
> 
>>This document has a number of unjustified and mutually exclusive
>>requirements.  To wit:
> 
> 
> in the dnssec-operational draft, we have the following:
> 
> 3.3.4  Automated Key Rollovers
> 
>    As keys must be renewed periodically, there are some motivation to
>    automate the rollover process (also see [12])
> 
>    o  ZSK rollovers are easy to automate as only the local zone is
>       involved.
>    o  A KSK rollover needs interaction between the parent and child.
>       Data exchange is needed to provide the new keys to the parent,
>       consequently, this data must be authenticated and integrity must
>       be guaranteed in order to avoid attacks on the rollover.
>    o  All time and TTL considerations presented in Section 3.3 apply to
>       an automated rollover.
> 
> which in my mind sums it all up, so I would favor dropping the key req.
> draft,

This doesn't say anything about SEP keys, though.

Cheers,

(Continue reading)

Miek Gieben | 11 Nov 2004 17:24

Re: Comments on key rollover req. draft

[On 11 Nov,  <at>  17:14, Ben wrote in "Re: [dnsop] Comments on key ro ..."]
> >   o  ZSK rollovers are easy to automate as only the local zone is
> >      involved.
> >   o  A KSK rollover needs interaction between the parent and child.
> >      Data exchange is needed to provide the new keys to the parent,
> >      consequently, this data must be authenticated and integrity must
> >      be guaranteed in order to avoid attacks on the rollover.
> >   o  All time and TTL considerations presented in Section 3.3 apply to
> >      an automated rollover.
> >
> >which in my mind sums it all up, so I would favor dropping the key req.
> >draft,
> 
> This doesn't say anything about SEP keys, though.

it talks about ksk keys, which are implied to be sep keys (that is
defined somewhere else in the doc)

grtz Miek
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Group

gmane.ietf.dnsop.

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

Articles in period: 80

November 2004

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

gtld-tech mailing list (17 May 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
Thoughts on CDS (26 Apr 2013)
Thoughts on CDS (25 Apr 2013)
DS transfer requirements (24 Apr 2013)
Ang.: RISKS and mitigations for draft-jabley-dnssec-trust-anchor (20 Apr 2013)
RISKS and mitigations for draft-jabley-dnssec-trust-anchor (19 Apr 2013)
Thoughts on CDS (18 Apr 2013)
public consultation on root zone KSK rollover (3 Apr 2013)
Fwd: New Version Notification for draft-jabley-dnsop-anycast-mapping-0 (25 Mar 2013)
please welcome the new co-chair Tim Wicinski (25 Mar 2013)
dnsop chair replacement solicitation. (19 Mar 2013)
Adoption of as a WG work (14 Mar 2013)
Standing down as DNSOP co-chair (14 Mar 2013)
CDS and the RRR model (14 Mar 2013)
F2F CDS discussion @IETF-86 (13 Mar 2013)
General comments on draft-kumari-ogud-dnsop-cds-01 (13 Mar 2013)
General comments on draft-kumari-ogud-dnsop-cds-01 (13 Mar 2013)
General comments on draft-kumari-ogud-dnsop-cds-01 (13 Mar 2013)
General comments on draft-kumari-ogud-dnsop-cds-01 (13 Mar 2013)
General comments on draft-kumari-ogud-dnsop-cds-01 (13 Mar 2013)

Archives

1	May 2013
137	April 2013
92	March 2013
139	February 2013
15	January 2013
8	December 2012
60	November 2012
51	October 2012
38	September 2012
25	August 2012
52	July 2012
39	June 2012
21	May 2012
157	April 2012
49	March 2012
63	February 2012
15	January 2012
7	December 2011
3	November 2011
91	October 2011
53	September 2011
41	August 2011
46	July 2011
48	June 2011
17	May 2011
52	April 2011
12	March 2011
17	February 2011
46	January 2011
20	December 2010
188	November 2010
120	October 2010
39	September 2010
16	August 2010
61	July 2010
67	June 2010
17	May 2010
71	April 2010
258	March 2010
100	February 2010
153	January 2010
9	December 2009
86	November 2009
95	October 2009
132	September 2009
34	August 2009
141	July 2009
13	June 2009
35	May 2009
135	April 2009
179	March 2009
11	February 2009
3	January 2009
1	December 2008
37	November 2008
25	October 2008
131	September 2008
324	August 2008
21	July 2008
203	June 2008
67	April 2008
53	March 2008
13	February 2008
5	January 2008
85	December 2007
87	November 2007
50	October 2007
30	September 2007
23	August 2007
43	July 2007
108	June 2007
30	May 2007
4	April 2007
71	March 2007
113	February 2007
47	January 2007
35	December 2006
75	November 2006
80	October 2006
57	September 2006
51	August 2006
47	July 2006
23	June 2006
20	May 2006
32	April 2006
24	March 2006
4	February 2006
15	January 2006
25	December 2005
18	November 2005
16	October 2005
20	September 2005
15	August 2005
18	July 2005
45	June 2005
7	May 2005
37	April 2005
86	March 2005
34	February 2005
21	January 2005
39	December 2004
77	November 2004
73	October 2004
42	September 2004
31	August 2004
58	July 2004
70	June 2004
55	May 2004
86	April 2004
78	March 2004
29	February 2004
22	January 2004
75	December 2003
206	November 2003
33	October 2003
54	September 2003
85	August 2003
156	July 2003
20	June 2003
7	May 2003
160	April 2003
222	March 2003
70	February 2003
3	January 2003
3	December 2002
81	November 2002
98	October 2002
2	August 2002
65	July 2002
24	June 2002
1	May 2002
8	April 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template