Re: Implementation work done on DNSSEC trust anchor key rollover solution

Paul Vixie <paul@vix.com> Fri, 03 February 2006 15:18 UTC

From: Paul Vixie <paul@vix.com>
To: namedroppers@ops.ietf.org
Subject: Re: Implementation work done on DNSSEC trust anchor key rollover solution
In-Reply-To: Your message of "Fri, 03 Feb 2006 09:50:28 EST." <43E36DB4.6060906@connotech.com>
References: <43E36DB4.6060906@connotech.com>
Date: Fri, 03 Feb 2006 15:15:05 +0000
Message-Id: <20060203151505.F2CD111426@sa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

# In the solution space for trust anchor key rollover, there are two
# individual Internet drafts:
# 
# http://www.ietf.org/internet-drafts/draft-moreau-dnsext-sdda-rr-01.txt
# http://www.ietf.org/internet-drafts/draft-moreau-dnsext-takrem-dns-01.txt

and there's the mstjohns draft, and the ihren/kolkman draft, and my slides
which i may yet turn into a draft, and the unpublished "requirements draft".

# Implementation work has been done, so that updated software tools are now
# available (GPL'ed free software). See
# http://www.connotech.com/takrem_tools/trust-anchor-foundry_02.tar.gz

to reiterate from the most recent dnsext meeting, GPL isn't adequate for ISC
nor for any member of the BIND Forum who has spoken up or been asked about
it.  unless takrem's specification is released without IPR limitations, so
that dnsext can rewrite it any way they want to and implementors can put it
into products without worrying about patents or licensing, we'll ignore it.

# This update includes a complete solution for DNS zone management
# procedures (i.e. trust anchor key management and DNS authoritative
# nameserver operations), and an API for TAKREM support in DNSSEC-aware
# resolver software.

truly, the quality of this implementation sounds very high indeed.  it's a
shame that the IPR limitations on takrem have poisoned it before the outset.

# The software development planning aspects are covered in two documents,
# respectively for the server side at
# http://www.connotech.com/trustanchfoundry_09.pdf and the client side at
# http://www.connotech.com/takrollover_06.pdf.
# 
# If the DNSSEC security services are important enough to deserve good
# trust anchor key procedures, here they are.

they are that important, but takrem has self-deselected from the solution
space for non-quality reasons.

i admire the heck out of the document and implementation quality, and the
marketing push behind it.  but there are other workable solutions which do
not depend on patented technology, and speaking now as president of ISC, as
an implementor of BIND, and as a member of the DNS protocol development
community, i am committed to helping bringing about an IPR-free solution.

which means, apparently, that i have to turn my slide set into an I-D -- the
WG's plan for a requirments draft having now fallen by the wayside, it's a
going to be free for all and i need to get my own dog into this fight.  (sad.)

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Implementation work done on DNSSEC trust anchor k… Thierry Moreau
Re: Implementation work done on DNSSEC trust anch… Paul Vixie