DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
To: dnssec@cafax.se
From: Edward Lewis <lewis@tislabs.com>
Date: Fri, 7 Sep 2001 10:16:27 -0400
Sender: owner-dnssec@cafax.se
Subject: DNSSEC Minutes (Aug 7, London mtg.)
These are the minutes of the meeting we had August 7 in London.  If anyone
wants to add to this, go ahead.  BTW, in case anyone was wondering about
all the hallway commotion, the hotel had re-divided the rooms without
telling the secretariat, and the other group had reserved coffee, etc.  The
cleaning staff put us in the room with the coffee (they didn't know either)
and the other group had to be let into the other room late and without
coffee.  Moral of the story - hold the meetings early in the evening...or
your room may be usurped!

NAI Labs - Russ Mundy, Wes Griffin, Ed Lewis
-Support .mil
-Currently running tislab.com zones, cumbersome but possible
-Research questions: PubKey avail, cross-signing, multi-author
-Apply DNSSEC to SSH application (in OpenSSH)
-Running workshops, outreach work

SAIC - Rip Loomis, Jessica Little
-DISA support for .mil, DOD NIC, root server operator
-Other support for .gov
-Testing of BIND 9 releases
-Security Plan documented, requirements and desires

CR&T - Jakob Schlyter
-Doing the right thing for Sweden
-With Autonomica, progressing towards signing .se

NIST - Scott Rose
-Performance testing
-Work based on old NSA code
-Workshops, last June and in future
-Not legal authority for .gov

Verisign - Mark Kosters, Andy Newton
-Signing of .com, .net, and .org
-Incremental deployment, Opt-In/Sig@"*"
-Research URL: https://www.dnssec.research.netsol.com/
-Code base separate from BIND 9

NLnet Labs - Stephan Jager, Alexis Yushin, Miek Gieben, Ted Lindgreen
-Hands-on application to large TLD's
-Involvement in CENTR (ccTLD's, mostly European) DNSSEC WG
-Resolver, V6, dig/sig chaser, .nl.nl tree
-Issues: Justification, Are we securing DNS or providing a PKI publishing svc?
-Workshops
-Collaboration with RSA Labs (Simon Jo, not present)

RIPE NCC - Olaf Kolkman, Shane Kerr
-Methods to secure Internet, starting with DNSSEC
-Workshops (with NLnet Labs)
-PERL tool

SIDN (.nl) - Jaap Akkerhuis
-.nl registry, signing, collaborate with NLnet Labs
-Same boat as Sweden

Nominum - Jim Reid
-Donating BIND code to ISC (under funding from other sources)
-Received requests for documentation fixes
-Recommends using OpenSSL latest version for BIND (see www.openssl.org)
--Latest version at meeting time was 0.9.6b

TUT - Matti Saarinen
-Beginning interest in topic

DOD/DISA - Andy Nguyen
-Tasked with implementation of DNSSEC in .mil (authoritative agency)

Motorola - Donald Eastlake 3rd
-Attended as author of original documents

USC/ISI (West) - Bill Manning, Jeff Baker (also EP.NET)
-There is a need to build (a) DNSSEC toolkit
--Software pieces are still missing
-Securing the root zone, key handling
-Signed IPv6 infrastructure

USC ISI (East) - Dan Massey
-FMESHD project, research into "islands" of security
-A collaboration with NAI Labs: SSH modifications
-CAIRN network testbed

Autonomica - Lars-Johan Liman, Johan Ihren
-sigz.net experiment
-Mailing List - dnssec@cafax.se
-DNSOP WG chair (Liman), WG in charge of operations

IETF - Olafur Gudmundsson
-DNSEXT WG chair, WG in charge of protocol specifications
-How close is DNSSEC to deployment?

KAME - Jinmei Tatuya (Toshiba) and Jun Hagino (IIJLAB)
-IPv6/IPsec in BSD-derived operating systems
-Use of DNSSEC in IPsec key exchange
-getrrsetbyname() in libc's
-Issue, why KEY RR is used instead of CERT RR
-Should KEY RR be for DNSSEC only?
-Code donations to BIND 9 (IPv6)
-Test domain, statistics collection (EDNS0, DNSSEC related)

NeuStar - Eric Brunner-Williams
-Looking into DNSSEC for newer gTLD registries

ARIN - Ray Plzak and Cathy Murphy
-Tracking DNSSEC for adoption in the in-addr.arpa tree
-WG chair for DNSOP

WIDE - Yuji Sekiya and Jinmei Tatuya (Toshiba)
-Engineering tests of impacts on root servers
-m root server, participating in root server engineering

Neteka - Edmon Chung
-No notes

Other comments (culled from Itojun's message), mostly unanswered questions...

Is it worth the effort to experiement in a real root environment?
Will the Verisign code (server at least) be publically released? (Undecided)
Performance is still an issue (crypto checking).
Experiments are sensitive to BIND version number (bleeding software edge).
Who is DNSSEC protecting?  ISP, end user, etc.
Data integrity is a better term than "secure" or "reliable" data.
Threat model still not documented.
We need to document how DNSSEC differs from a PKI (just for the record).
Is cache poisioning "still" a major threat?  Considering rfc2181
clarifications?
Key management is hard, not just within the context of DNS.
 DNSSEC won't have it any easier
 DNSSEC could be a bootstrap for other key management systems
What is a "minimum policy?"

Attendee List
============
Ed Lewis              NAI Labs                 lewis@tislabs.com
Jaap Akkerhuis        SIDN (.nl)               jaap@sidn.nl
Olaf Kolkman          RIPE NCC                 olaf@ripe.net
Wes Griffin           NAI Labs                 wgriffin@tislabs.com
Miek Gieben           NLnet Labs               miekg@nlnetlabs.nl
Alexis Yushin         NLnet Labs               alexis@nlnetlabs.nl
Stephan Jager         NLnet Labs               stephan@nlnetlabs.nl
Ted Lindgreen         NLnet Labs               ted@nlnetlabs.nl
Ray Plzak             ARIN                     plzac@arin.net
Cathy Murphy          ARIN                     cathym@arin.net
Eric Brunner-Willaims NeuStar                  brunner@nic-naa.net
Jinmei Tatuya         Toshiba                  jinmei@kame.net
Jun Hagino            IIJLAB/Kame              itojun@itojun.org
Dan Massey            USC/ISI                  masseyd@isi.edu
Olafur Gudmundsson    <This space for rent>    ogud@ogud.com
Lars-Johan Liman      Autonomica               liman@autonomica.se
Bill Manning          USC/ISI                  bmanning@karoshi.com
Jeffery Baker         EP.NET                   jeff@weblet.ep.net
Donald Eastlake 3rd   Motorola                 donald.eastlake@motorola.com
Mark Kosters          Verisign                 markk@research.netsol.com
Andrew Newton         Verisign                 anewton@research.netsol.com
Scott Rose            NIST                     scottr@nist.gov
Jakob Schlyter        CR&T                     j@crt.se
Rip Loomis            SAIC                     loomisg@saic.com
Russ Mundy            NAI Labs                 mundy@tislabs.com
Jessica Little        SAIC                     jessl@nic.mil
Shane Kerr            RIPE NCC                 shane@ripe.net
Andy Nguyen           DISA                     nguyen3a@ncr.disa.mil
Yuji Sekiya           WIDE                     sekiya@wide.ad.jp
Jim Reid              Nominum                  jim.reid@nominum.com
Matti Saarinen        TUT                      mjs@cc.tut.fi
Edmon Chung           Neteka                   edmon@neteka.com
Johan Ihren           Autonomica               johani@autonomica.se

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

You fly too often when ... the airport taxi is on speed-dial.

Opinions expressed are property of my evil twin, not my employer.
Prev by Date: Re: CERTificates and public keys
Next by Date: Re: CERTificates and public keys
Prev by thread: Re:
Next by thread: New version of the Net::DNS extensions.
Index(es):
- Date
- Thread
Home | Date list | Subject list