bcp on dnssec operations (volunteering)
olaf@ripe.net Mon, 28 May 2001 12:27 UTC
Received: from nic.cafax.se ([192.71.228.17]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA04026 for <dnsop-archive@odin.ietf.org>; Mon, 28 May 2001 08:27:19 -0400 (EDT)
Received: by nic.cafax.se (8.12.0.Beta5/8.12.0.Beta5) id f4SBtw8Q003833 for dnsop-outgoing; Mon, 28 May 2001 13:55:58 +0200 (MEST)
Received: from birch.ripe.net (birch.ripe.net [193.0.1.96]) by nic.cafax.se (8.12.0.Beta7/8.12.0.Beta5) with ESMTP id f4SBtvLt003828 for <dnsop@cafax.se>; Mon, 28 May 2001 13:55:58 +0200 (MEST)
Received: from x50.ripe.net (x50.ripe.net [193.0.1.50]) by birch.ripe.net (8.8.8/8.8.8) with ESMTP id NAA20124; Mon, 28 May 2001 13:55:56 +0200 (CEST)
Received: from ripe.net (localhost.ripe.net [127.0.0.1]) by x50.ripe.net (8.8.8/8.8.5) with ESMTP id NAA00564; Mon, 28 May 2001 13:55:55 +0200 (CEST)
From: olaf@ripe.net
Message-Id: <200105281155.NAA00564@x50.ripe.net>
To: dnsop@cafax.se
Cc: miekg@nlnetlabs.nl
Subject: bcp on dnssec operations (volunteering)
Date: Mon, 28 May 2001 13:55:55 +0200
Sender: owner-dnsop@cafax.se
Precedence: bulk
Dear colleagues, We feel the time is right to start documenting operational considerations with respect to deployment of DNSSEC. Miek Gieben and myself are hereby volunteering to edit such a document. Our intention is to make a reasonably complete reference for those who want to deploy DNSSEC in their environment. Below is a table of content to indicate the topics we want to cover. We invite everybody to suggest additional topics, share rough ideas, submit text and/or give input on our approach. We want to submit a first framework draft before the London IETF and a fairly advanced draft by the December IETF. Althought this work will be done as part of the dnsop working group. We will use the dnssec@cafax.se (majordomo) list for discussing the details. All drafts will, of course, be posted to the dnsop list. --Olaf Kolkman OKolkman@ripe.net Miek Gieben Miek@nlnetlabs.nl draft-ietf-dnsop-dnssec-operational-considerations Table of Contents 1 Introduction...................................... <!--Introduction on the document and it's structure.--> 2 DNSSEC, the basics in one page.................... <!--One page DNSSEC concepts recap. --> 2.1 Public key cryptography and DNSSEC.............. <!--Recap of terminology and important concepts.--> 2.2 Parent and child................................ <!-- Delegating zone publishing authority and signing authority. --> 2.3 Differences w.r.t. non DNSSEC operations. <!-- describe additional maintenance tasks refer to elsewhere in the BCP for details --> 3 Roles and responsibilities. 3.1 domain holder <!-- responsible for zone content --> 3.2 registrar 3.3 registry 3.4 zone administrator <!-- access to the zone file --> 3.5 key-master <!-- has access to keys and can sign --> 4 Key handling 4.1 Why to keep your key secret 4.3 key generation 4.4 Key lifetime. 4.5 Signing system. <!-- architecture suggestion --> 4.6 Signing process. <!-- how to prevent the signing of the WRONG data. --> 5 Scheduled Parent Child interactions 5.1 Establishing trust <!-- First Key exchange --> 5.2 Key roll over 5.3 Nameserver changes 6 Emergency procedures. 6.1 Unscheduled key roll over. 7 Policy issues .................................... <!-- We are not sure if we want to maintain this section --> 7.1 DNS as a PKI.................................... 7.2 Signature and the DNS........................... 7.3 How to publish a policy......................... 8 Timing parameters 8.1 Inventory of timing parameters <!-- SOA, default TTL, TTL on RRsets, TTL of SIG and KEY life time of KEY and SIG. --> 8.2 Considerations on timing. <!-- how do these parameters interact. What are descent values. --> 9 Systems consideration 9.1 Random devices 9.2 Systems security. 9.3 Hardware and OS considerations References Appendix A. Suggested notation for describing key exchanges. B. Emergency procedure form. C. Suggested Literature
- bcp on dnssec operations (volunteering) olaf
- Re: bcp on dnssec operations (volunteering) Roy Arends
- Re: bcp on dnssec operations (volunteering) Miek Gieben
- Re: bcp on dnssec operations (volunteering) Roy Arends