To:
dnssec@cafax.se
cc:
miekg@nlnetlabs.nl
From:
OKolkman@ripe.net
Date:
Mon, 28 May 2001 14:32:05 +0200
Delivery-Date:
Mon May 28 22:16:39 2001
Sender:
owner-dnssec@cafax.se
Subject:
bcp on dnssec operations (volunteering)
FYI We just posted this on dnsop@cafax.se. Excuse me for the duplicate messages if you are on that list as well. --Olaf ------- Forwarded Message Dear colleagues, We feel the time is right to start documenting operational considerations with respect to deployment of DNSSEC. Miek Gieben and myself are hereby volunteering to edit such a document. Our intention is to make a reasonably complete reference for those who want to deploy DNSSEC in their environment. Below is a table of content to indicate the topics we want to cover. We invite everybody to suggest additional topics, share rough ideas, submit text and/or give input on our approach. We want to submit a first framework draft before the London IETF and a fairly advanced draft by the December IETF. Althought this work will be done as part of the dnsop working group. We will use the dnssec@cafax.se (majordomo) list for discussing the details. All drafts will, of course, be posted to the dnsop list. - --Olaf Kolkman OKolkman@ripe.net Miek Gieben Miek@nlnetlabs.nl draft-ietf-dnsop-dnssec-operational-considerations Table of Contents 1 Introduction...................................... <!--Introduction on the document and it's structure.--> 2 DNSSEC, the basics in one page.................... <!--One page DNSSEC concepts recap. --> 2.1 Public key cryptography and DNSSEC.............. <!--Recap of terminology and important concepts.--> 2.2 Parent and child................................ <!-- Delegating zone publishing authority and signing authority. --> 2.3 Differences w.r.t. non DNSSEC operations. <!-- describe additional maintenance tasks refer to elsewhere in the BCP for details --> 3 Roles and responsibilities. 3.1 domain holder <!-- responsible for zone content --> 3.2 registrar 3.3 registry 3.4 zone administrator <!-- access to the zone file --> 3.5 key-master <!-- has access to keys and can sign --> 4 Key handling 4.1 Why to keep your key secret 4.3 key generation 4.4 Key lifetime. 4.5 Signing system. <!-- architecture suggestion --> 4.6 Signing process. <!-- how to prevent the signing of the WRONG data. --> 5 Scheduled Parent Child interactions 5.1 Establishing trust <!-- First Key exchange --> 5.2 Key roll over 5.3 Nameserver changes 6 Emergency procedures. 6.1 Unscheduled key roll over. 7 Policy issues .................................... <!-- We are not sure if we want to maintain this section --> 7.1 DNS as a PKI.................................... 7.2 Signature and the DNS........................... 7.3 How to publish a policy......................... 8 Timing parameters 8.1 Inventory of timing parameters <!-- SOA, default TTL, TTL on RRsets, TTL of SIG and KEY life time of KEY and SIG. --> 8.2 Considerations on timing. <!-- how do these parameters interact. What are descent values. --> 9 Systems consideration 9.1 Random devices 9.2 Systems security. 9.3 Hardware and OS considerations References Appendix A. Suggested notation for describing key exchanges. B. Emergency procedure form. C. Suggested Literature ------- End of Forwarded Message