[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DS and Opt-in - a proposal

To: namedroppers <namedroppers@ops.ietf.org>
Subject: DS and Opt-in - a proposal
From: Olafur Gudmundsson <ogud@ogud.com>, Randy Bush <randy@psg.com>
Date: Fri, 21 Dec 2001 15:15:50 -0800

This is a request for comments.  Members of the working group who disagree
with these recommendations, please send technical comments on the mailing
list ASAP.  Similarly technical points in support we might have missed
should also be sent to the list.

There has been discussion among interested parties on the issue of DS [0]
and Opt-in [1] adoption in DNS.  A small group has discussed the issues in
on a conference call and has identified following issues:
 o DS and OPT-in both break backwards compatibility with RFC 2535.
 o DS increases protocol complexity but reduces operational effort.
 o OPT-in limits authenticated denial of secured names while at the same
   time potentially saving significant operating costs for large delegating
   zones.
 o Due to key management scaling issues, deploying RFC 2535 without DS will
   severely limit the usability of DNSSEC.
 o The cost of incompatible changes increases steeply with time.  Currently,
   there is minimal deployment of RFC 2535 signed zones, so there is minimal
   use of secure revolvers, so the impact is lowest now.
 o Delegations in DNS have problems when it comes to securing, NS set is on
   both sides and child signs.
 o The value of authenticated denial is not clear, for some it is important,
   for others it is only a nice but sometimes expensive property.

The discussion concluded that the deployment of DS was critical, and worried
that a decision not to adopt Opt-in could pose problems in deployment.  Thus
we propose the following:
 o DS and Opt-in proposals both be adopted and
 o RFC 2535 backwards compatibility NOT be retained. (flag day!)
	
In parallel to getting slightly revised OPT-in and DS documents published as
Proposed Standards, the following activities should take place:
 o Implementation(s) of name servers and revolver(s) that support DS and
   Opt-in must be made available as soon as possible.
 o The rewrite of RFC 2535 should be resumed and completed no later than
   June 2002.

Time-line 
  - Opt-in and DS go for WG last call February 1
  - Opt-in and DS go for IETF last call February 15
  - RFC 2535bis-00 draft March 1
  - RFC 2535bis-xx WG last call March 15

List of people participating in the discussion group 
  Roy Arends
  Steve Bellovin (regrets)
  Randy Bush
  Olafur Gudmundsson
  Edward Lewis
  Mark Kosters
  Paul Vixie
  Brian Wellington

This beings a two week last call on this proposal, to end 2002.01.01.

Thanks,
  Olafur Gudmundsson and Randy Bush
  dnsext co-chairs

---

[0] - draft-ietf-dnsext-delegation-signer-04.txt
[1] - draft-ietf-dnsext-dnssec-opt-in-01.txt

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Follow-Ups:
- Re: DS and Opt-in - a proposal
  - From: "Olaf M. Kolkman" <olaf@ripe.net>
- Re: DS and Opt-in - a proposal
  - From: Ólafur Gudmundsson/DNSEXT co-chair <ogud@ogud.com>

Prev by Date: Re: mdns-08 draft
Next by Date: Re: DS and Opt-in - a proposal
Previous by thread: re: mdns-08 draft
Next by thread: Re: DS and Opt-in - a proposal
Index(es):
- Date
- Thread