bcp on dnssec operations (volunteering)

[OKolkman@ripe.net]

FYI

We just posted this on dnsop@cafax.se. Excuse me for the duplicate
messages if you are on that list as well.



--Olaf

------- Forwarded Message


Dear colleagues,

We feel the time is right to start documenting operational
considerations with respect to deployment of DNSSEC. Miek Gieben and
myself are hereby volunteering to edit such a document.

Our intention is to make a reasonably complete reference for those who
want to deploy DNSSEC in their environment. 

Below is a table of content to indicate the topics we want to
cover. We invite everybody to suggest additional topics, share rough
ideas, submit text and/or give input on our approach.

We want to submit a first framework draft before the London IETF and a
fairly advanced draft by the December IETF.

Althought this work will be done as part of the dnsop working
group. We will use the dnssec@cafax.se (majordomo) list for discussing
the details. All drafts will, of course, be posted to the dnsop list.


- --Olaf Kolkman OKolkman@ripe.net
  Miek Gieben  Miek@nlnetlabs.nl


draft-ietf-dnsop-dnssec-operational-considerations


Table of Contents
      1 Introduction......................................
   
      <!--Introduction  on the document and it's structure.-->

      2 DNSSEC, the basics in one page....................
   
      <!--One page DNSSEC concepts recap. -->
	
      2.1 Public key cryptography and DNSSEC..............

      <!--Recap of terminology and important concepts.-->
 
      2.2 Parent and child................................

      <!-- Delegating zone publishing authority and signing 
	authority. -->

      2.3 Differences w.r.t. non DNSSEC operations.

      <!-- describe additional maintenance tasks refer to elsewhere
           in the BCP for details -->
      

      3 Roles and responsibilities.
      3.1 domain holder  <!-- responsible for zone content -->
      3.2 registrar
      3.3 registry
      3.4 zone administrator  <!-- access to the zone file -->
      3.5 key-master     <!-- has access to keys and can sign -->


      4 Key handling
      4.1 Why to keep your key secret
      4.3 key generation
      4.4 Key lifetime.      
      4.5 Signing system.
          <!-- architecture suggestion -->
      4.6 Signing process.
          <!-- how to prevent the signing of the WRONG data. -->


      5 Scheduled Parent Child interactions
      5.1  Establishing trust
           <!-- First Key exchange -->
      5.2  Key roll over
      5.3  Nameserver changes	

      6 Emergency procedures.
      6.1 Unscheduled key roll over.

      7 Policy issues ....................................
          <!-- We are not sure if we want to maintain this section -->
      7.1 DNS as a PKI....................................
      7.2 Signature and the DNS...........................
      7.3 How to publish a policy.........................

      8  Timing parameters
  
      8.1 Inventory of timing parameters
	<!--	SOA, default TTL, TTL on RRsets, TTL of SIG and KEY
		life time of KEY and SIG. -->
      8.2 Considerations on timing.
	<!-- how do these parameters interact. What are descent values. -->


      9  Systems consideration
      9.1 Random devices
      9.2 Systems security.
      9.3 Hardware and OS considerations

      References

      Appendix
      A. Suggested notation for describing key exchanges.

      B. Emergency procedure form.

      C. Suggested Literature



------- End of Forwarded Message