To:
dnsop@cafax.se
Cc:
edlewis@arin.net
From:
Edward Lewis <edlewis@arin.net>
Date:
Mon, 18 Nov 2002 16:30:10 -0500
Sender:
owner-dnsop@cafax.se
Subject:
A report on ARIN's DS workshop
In early October, ARIN sponsored a DS workshop. The principle objective of the workshop was to exercise the DS RR in the context of the "reverse map." Results from the workshop include[0]: 1) During orderly key roll overs, there was a period of time in which recursive name servers would return SERVFAIL. (The code used in the workshop was the July 22 snapshot of BIND 9.3.) What caused this was not determined. The problem appeared to be a "race condition," and could have been caused by the interaction of TTL expirations. 2) Key transfer was performed by FTP of the keyset file. The keyset file contained the public keys specified by the '-k' flag in the signer command. There were some problems with this. The 7/22 snapshot does not self-sign the keys in the keyset file. If the signatures were present, the signatures would provide a means to authenticate an orderly roll over of keys. Of course, if security is built into the transport of the file, the signatures are not necessary, but there's no way to get them in there without modifying the source code. There's a more significant (tool) problem. In order to achieve an orderly roll over, it is desirable to have DS RR pointing to the new KSK and have the apex KEY RR set signed by the old and new KSKs. (To allow for older, cached DS RR sets.) There is now set of parameters to the signer command that will place just the new KSK in the keyset, sign the apex KEY RR set with the old and new KSK. 3) There still exists a need for better set of tools to debug and observe the process of resolution. E.g., a tool that is like dig, but follows (and shows) referrals and reports on validation actions. 4) There is a need to set up some means to get tool requirements from users to developers. Currently the best mechanism is the mailing list dnssec@cafax.se [0] - These notes are still "draft." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.