North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: wrt joao damas' DLV talk on wednesday

  • From: David W. Hankins
  • Date: Mon Jun 12 19:30:53 2006

On Mon, Jun 12, 2006 at 09:41:03PM +0000, Paul Vixie wrote:
> since joao is probably still sleeping-off the time shift from san jose to
> madrid, i'll chime in here.  the last plan i saw was the same as the last
> draft i heard about for what any other "important" zone would do with a
> key that has to be hard coded in a lot of places: allocate more than one
> KSK and an infinite lifetime.  use this KSK offline (only), to generate
> ZSK's with short lifetimes that are in turn used online to sign the zone.

At NANOG 37, possibly after you had left the room, Randy actually
asked if we were writing a document describing ISC's operational
guidelines and policies for the dlv zone.  All those things DRC recently
said no one has told him to do yet.  It's in that context I think that
he asks these questions now.

I got the idea Randy was looking for info like appears in the BCP
that describes root server operations requirements, except as applies
to our DLV zone (and probably not an IETF document).

So, how many boxes have the private keys?  What barriers lock them away?
How many people have access to the raw keys?  How many authoritative
servers give out and where do they sit in the network and
on the globe?  Do you pre-publish or double-sign (or triple-sign (or
quintuple-sign (or ...)))?

I have no idea if such a thing exists or plans to exist, or what might
appear inside it.

> | 1. figure out why the root zone isn't signed and fix whatever it is.
> | 2. design your own version of DLV (as sam weiler has done, long before
> | 3. rubber-stamp ISC's DLV design, adopt our BSD-licensed source code
> | 4. go to IETF and say "i think something DLV should be a standard but
>   5. forget about DNSSEC until all these problems are solved by others.

Even if I choose not to do any of those 5 things and adopt ISC's DLV
registry, I probably would want some basis to compare ISC's DLV
registry with Acme's DLV registry.

Having a basis to compare ourselves imagined ideal of a bit of an intellectual excercise, but it does set
the bar for future work in similar operations, such as signing TLDs
and the root zone (wether it is IANA who is asked to do it or not).

And it helps people decide if they want to throw in or wait it out
for someone with stronger practices (or deploy a DLV with stronger

I personally think Randy's request (or my imagined version of same)
would be good reading, if someone could be found who had both the
time and knowledge to write it, and if doing so wouldn't be construed
as giving away the keys to the castle.

David W. Hankins		"If you don't do it right the first time,
Software Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

Attachment: pgp00005.pgp
Description: PGP signature