Two Day Invitational Symposium - Deploying a Signed Root

[David Farber <dave () farber net>]

Begin forwarded message:

From: Steve Crocker <steve () shinkuro com>
Date: May 5, 2009 10:19:42 AM EDT
To: Dave Farber <dave () farber net>
Cc: Steve Crocker <steve () shinkuro com>
Subject: Fwd: Two Day Invitational Symposium - Deploying a Signed Root

For IP, if you are willing.

Steve

Begin forwarded message:

> From: "Lauren Price" <lprice () pir org>
> Date: May 5, 2009 3:50:18 AM PDT
> To: "Lauren Price" <lprice () pir org>
> Subject: Two Day Invitational Symposium - Deploying a Signed Root
>
> Deploying a Signed Root: Issues and Proposed Solutions
> June 11-12, 2009
> Washington D.C.
>
> Announcement and Call for Request for Invitation
>
> Overview
>
> In preparation for the signing of the DNS root zone, it’s desirable  
> to look closely at the deployment process to anticipate what issues  
> might arise.  How will the appearance of signed responses affect  
> existing resolvers?  How will the public part of the root key be  
> distributed?  Are the procedures for changing the root key, i.e. key  
> rollover, in place and working?  Is there a plan for stepping back  
> if deployment of a signed root proves problematic?
>
> These and other questions will be addressed in a two day  
> invitational symposium June 11-12 in the Washington, DC area  
> convened by the DNSSEC Industry Coalition.
>
> Participants are expected from the global community of DNSSEC  
> software vendors, root operators, ISPs and other resolver operators,  
> DNS security community, and others.
>
> The results from the symposium will be made available publicly as  
> quickly as possible after the symposium.
>
> This symposium will be limited in size.  Attendees are expected to  
> make substantive contributions.  People who are interested in  
> attending are invited to request an invitation.  See the details  
> below.
>
> Symposium Structure and Content
>
> This symposium will identify issues in the deployment of a signed  
> root zone.  During the first part of the symposium, participants  
> will present issues along with any proposed solutions.  During the  
> second part, recommended solutions or next steps for reaching  
> solutions will be discussed.
>
>
> Prospective participants are invited to propose topics.  The  
> potential list of topics includes:
>
> Key Distribution
>
> ·         What is the plane for distributing the public part of the  
> root key?  Who will vouch for it and who will distribute it?
>
> ·         ISP’s will need a secure method for retrieving the public  
> part of the root key and validating any emergency key roll over.   
> Not all ISP’s are using BIND or NLnet Labs resolvers, and this may  
> require development time to support such an initiative.
>
> Key Rollover
>
> ·         A shakedown of the key rollover process is needed.  This  
> requires engagement with the main resolver operators, i.e. the ISPs  
> and the software vendors (ISC, NLnet Labs, etc.)  The process will  
> take a few months, at the very least, because each rollover requires  
> at least a month.
>
> Trust and Transparency
>
> ·         There is a concern for securing the KSK/ZSK at the root  
> and ensuring this process has transparency and security.
>
> ·         What assurance does the global community need regarding  
> the key ceremony and the processes associated with key management?
>
> Impact on ISPs and Resolvers
>
> ·         ISP’s authoritative data will grow significantly with  
> signed data.  We need to make sure Authoritative DNS operators are  
> more aware of the impacts to their data and how this will impact  
> resolver caches.
>
> ·         Some resolvers, particularly BIND, set the DO bit for  
> every request, thereby asking for a signed response, even if they  
> don't intend to check the signature.  Once there are signatures in  
> the root zone, there will be a spike in size of responses.  How will  
> this affect resolvers and ISPs?
>
> Contingency Plans
>
> ·         What might go wrong when the root is signed?  Is there a  
> way of telling?  Might it be necessary to step back and revert to an  
> unsigned root for a period of time?  If so, who will make the  
> decision and how will the roll back be accomplished?
>
> Call for Participants
>
> This symposium is specifically for people who are well informed and  
> have current issues or proposed solutions to bring to the table.
>
> Prospective participants are hereby invited to send email to the  
> steering committee at info () dnsseccoalition org with a brief  
> description of the issue(s) he or she wishes to discuss.  In the  
> interest of time, topics should be proposed by May 11.  Invitations  
> and details on logistics, D.C. area will be issued by May 14.
>
> Best,
> Lauren
>
>
> LAUREN PRICE
> Chair, The DNSSEC Industry Coalition
> Mobile: 703-973-1669
> Fax: 703-889-5779
> Email: lprice () pir org
>
>
> .ORG, The Public Interest Registry
> 1775 Wiehle Avenue, Suite 200
> Reston,VA  20190
>
> Visit us online!
> Check out events & blogs at .ORG Buzz!
> Find us on Facebook
> See the .ORG Buzz! Photo Gallery on Flickr
> See our video library on YouTube
>
> CONFIDENTIALITY NOTE:
> Proprietary and confidential to .ORG, The Public Interest Registry.   
> If received in error, please inform sender and then delete.





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com