DNSOP WG minutes from Washington.

[Lars-Johan Liman <liman@sunet.se>]

Folks,

Here are the minutes from the Washington meeting. Please send your
comments before Wednesday, if you have any. They are due on Thursday.

Thanks, Ray, for taking notes and preparing these minutes!

				Cheers,
				  /Liman

DNSOP WG
8 November 1999
Minutes
Prepared by Ray Plzak

1.  Agenda Bashing.  

Add Status Report on the draft Root Name Server Operational Requirements


2.  Status Report
Root Name Server Operational Requirements -  Randy Bush

One change to be made in paragraph 2.7 stating that the root servers
SHOULD NOT allow AXFR of a zone.  The draft is then ready for WG last
call.

3.  Report from CAIRN Workshop - Ed Lewis

A DNNSEC workshop was conducted on 29-30 September 1999 at the
Collaborative Advanced Inter-agency Research Network (CAIRN) testbed at
ISI's Northern Virginia offices.  CAIRN is a DARPA funded testbed used by
Government, University, and Commercial researchers to conduct Internet
Protocol (IP) network based research.  The workshop was modeled on the
workshop that was conducted in Sweden in May 1999.

Full information on the conduct of the tests and results is contained in
draft-ietf-dnsop-dnsseccairn-00.txt.  Additional information on the CAIRN
testbed is available at http://www.cairn.net.  Details on the DNSSEC
implementation in CAIRN can be found at http://www.cairn.net/DNSSEC.

The draft will be periodically updated to report on continued testing.  Ed
solicited other workshop sponsors to conduct similar testing.

It was not known if non CAIRN organizations could participate in the CAIRN
testbed.

Liman stated that he has plans to set up an open DNSSEC test bed.

4.  Intrepretation of DNSSEC Signatures - Olafur Gudmundsson

Several questions have arisen in regards to the meaning of DNSSEC
signatures.

	* Is there an implied liability in regards to the data?

	* What does the AD bit cover?

	* What should the server do when the CD bit is set?

RFC 2535 is not clear in this and should be updated.  Work will begin on
updating the RFC.

5.  Handling of DNS Zone Signing Keys - Ed Lewis

Report on draft-ietf-dnsop-keyhand-01.txt.

There were primarily "mechanical" changes made since the last draft.
There are some proposed changes that were prompted by the CAIRN workshop.
These proposed changes/issues are

a.  Expand the document to cover other cryptographic material used by a
zone (TISG, SIG(0)).

b.  Redefine the legal signing of keys.  This is being changed in the
DNSIND WG.

c.  Dynamic Update Issues

	* The conflict between the goal of off-line signing and the use of
an on-line key for updates.

	* The assignent of meaning to various key strengths in the KEY
flags field.

d.  Security Considerations that need to be documented:

	* The impact of a broken key on the delegated zone.

	* The risk of a poorly run parent to child zone.

e.  Several issues created by having multiple alogrithms

	* The problem in a parent's signing of a child's key.

	* The implication of the number of NULL keys.

	* How does the parent and child verify each others data when they
don't share the same algorithm

The draft will be used to track DNSSEC changes and will therefore mature
slowly.  The next major step is the release of BIND 9.  Ed solicited WG
members to contribute to the document.

6.  Distributing Root Name Servers via Shared Unicast Addresses

Ted Hardy reported on the updates to his draft.  Masataka Ohta did not
present his draft.

draft-ietf-dnsop-hardie-shared-root-server-00.txt

The purpose of this practice is to enable a single root server operator to
provide access to a single named root server in multiple locations.  It
presumes a one-to-one mapping of between named root servers and the
administrative entities.  Implementation will increase the distribution of
of the root DNS servers to previously under-served areas of the network
topology and to reduce the latency for DNS query responses in those areas.

The mechanics of the practice were discussed.  Details are in the draft.
A major problem to be overcome is how to find a malfunctioning machine in
the server suite.

The next step is to use the draft to gain operational experience.  The
draft should progress towards a BCP for all servers with a separate
document being developed for Root Ops.

7.  Charter Review - Lars-Johan Liman

Liman conducted a review of the WG charter.  

Jun 99 Publish revised Root Server Requirements. - Done

Jul 99 Publish revised version of Key Handling. Done

Jul 99 Publish first version of Servers Sharing IP#. - Done

Sep 99 WG last call for Root Server Requirements.
	*Move to Nov/Dec 99

Sep 99 Publish first version of Performance and Measuring.
	* Move to Sep 00

Oct 99 Publish revised version of Key Handling. - Done

Oct 99 Publish revised version of Servers Sharing IP#. - Done

Nov 99  Submit Root Server Requirements to the IESG for consideration
as Informational (BCP?).
	* Will slip based on WG last call

8. Report on RIPE 203 Document - Peter Koch

This document provides guidance for the choice of time values for the SOA
record.  When it is adopted by ISP's Peter will submit it to the WG with
the goal of making it a BCP.

9.  RFC 2317 - Peter Koch

This document describes a practice for handling classless in-addrs.  Peter
raised the issue of whether this document should be updated.  After
discussion, the WG decided that operational experince with using the the
practice should be doucmented and published.  Peter will prepare the
draft.

10.  BCP Proposal - Mark Andrews

Mark proposed that a BCP be developed to do the following document the
delegation process.  Technical requirements that must be met and testing
to be conducted prior to the delegation would be included.  The WG was
overwhelmingly in favor of producing this document.  Mark will work on the
draft.

11.  Other items.

Liman will document the process to do DNSSEC.  This will be a DNSSEC
tools, testing and ops document which will list the processes and the
order of the steps.  Target for the draft is Feb 00.