Interesting People mailing list archives
Two Day Invitational Symposium - Deploying a Signed Root
From: David Farber <dave () farber net>
Date: Tue, 5 May 2009 10:55:20 -0400
Begin forwarded message: From: Steve Crocker <steve () shinkuro com> Date: May 5, 2009 10:19:42 AM EDT To: Dave Farber <dave () farber net> Cc: Steve Crocker <steve () shinkuro com> Subject: Fwd: Two Day Invitational Symposium - Deploying a Signed Root For IP, if you are willing. Steve Begin forwarded message:
From: "Lauren Price" <lprice () pir org> Date: May 5, 2009 3:50:18 AM PDT To: "Lauren Price" <lprice () pir org> Subject: Two Day Invitational Symposium - Deploying a Signed Root Deploying a Signed Root: Issues and Proposed Solutions June 11-12, 2009 Washington D.C. Announcement and Call for Request for Invitation OverviewIn preparation for the signing of the DNS root zone, it’s desirable to look closely at the deployment process to anticipate what issues might arise. How will the appearance of signed responses affect existing resolvers? How will the public part of the root key be distributed? Are the procedures for changing the root key, i.e. key rollover, in place and working? Is there a plan for stepping back if deployment of a signed root proves problematic?These and other questions will be addressed in a two day invitational symposium June 11-12 in the Washington, DC area convened by the DNSSEC Industry Coalition.Participants are expected from the global community of DNSSEC software vendors, root operators, ISPs and other resolver operators, DNS security community, and others.The results from the symposium will be made available publicly as quickly as possible after the symposium.This symposium will be limited in size. Attendees are expected to make substantive contributions. People who are interested in attending are invited to request an invitation. See the details below.Symposium Structure and ContentThis symposium will identify issues in the deployment of a signed root zone. During the first part of the symposium, participants will present issues along with any proposed solutions. During the second part, recommended solutions or next steps for reaching solutions will be discussed.Prospective participants are invited to propose topics. The potential list of topics includes:Key Distribution· What is the plane for distributing the public part of the root key? Who will vouch for it and who will distribute it?· ISP’s will need a secure method for retrieving the public part of the root key and validating any emergency key roll over. Not all ISP’s are using BIND or NLnet Labs resolvers, and this may require development time to support such an initiative.Key Rollover· A shakedown of the key rollover process is needed. This requires engagement with the main resolver operators, i.e. the ISPs and the software vendors (ISC, NLnet Labs, etc.) The process will take a few months, at the very least, because each rollover requires at least a month.Trust and Transparency· There is a concern for securing the KSK/ZSK at the root and ensuring this process has transparency and security.· What assurance does the global community need regarding the key ceremony and the processes associated with key management?Impact on ISPs and Resolvers· ISP’s authoritative data will grow significantly with signed data. We need to make sure Authoritative DNS operators are more aware of the impacts to their data and how this will impact resolver caches.· Some resolvers, particularly BIND, set the DO bit for every request, thereby asking for a signed response, even if they don't intend to check the signature. Once there are signatures in the root zone, there will be a spike in size of responses. How will this affect resolvers and ISPs?Contingency Plans· What might go wrong when the root is signed? Is there a way of telling? Might it be necessary to step back and revert to an unsigned root for a period of time? If so, who will make the decision and how will the roll back be accomplished?Call for ParticipantsThis symposium is specifically for people who are well informed and have current issues or proposed solutions to bring to the table.Prospective participants are hereby invited to send email to the steering committee at info () dnsseccoalition org with a brief description of the issue(s) he or she wishes to discuss. In the interest of time, topics should be proposed by May 11. Invitations and details on logistics, D.C. area will be issued by May 14.Best, Lauren LAUREN PRICE Chair, The DNSSEC Industry Coalition Mobile: 703-973-1669 Fax: 703-889-5779 Email: lprice () pir org .ORG, The Public Interest Registry 1775 Wiehle Avenue, Suite 200 Reston,VA 20190 Visit us online! Check out events & blogs at .ORG Buzz! Find us on Facebook See the .ORG Buzz! Photo Gallery on Flickr See our video library on YouTube CONFIDENTIALITY NOTE:Proprietary and confidential to .ORG, The Public Interest Registry. If received in error, please inform sender and then delete.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Two Day Invitational Symposium - Deploying a Signed Root David Farber (May 05)