Logs for dnsop@ietf.xmpp.org, 2003-11-10

[19:22:28] --- orange has joined
[19:39:58] --- ggm has joined
[19:40:10] <ggm> ggmscribe?
[19:40:22] <ggm> DNSOPs working agenda. reviewing docs in WG last call.
[19:40:30] <ggm> Refresh/die?
[19:40:42] <ggm> Matt Larsen Floor: want to see serverid come back
[19:41:11] <ggm> Rob Austein: as IAB liaison/ICANN rssac, asked to tell IETF/wg ie myself etc that RSSAC want serverid, or something fulfilling same role come back
[19:41:25] <ggm> BillM we need serverid
[19:41:33] --- yone has joined
[19:41:34] --- wgriffin has joined
[19:41:49] <ggm> itojun dont publish unreachable is important
[19:42:07] <ggm> kolkman resolver rollover, with DNNSEC nearing completiion will want to be looked at again
[19:43:16] <ggm> susan need it badly. can persue this draft, or try to pull together suggestions. want to take it over or persue
[19:45:23] <ggm> may refer back into protocol to get new flag/status value
[19:45:34] <ggm> Key rollover requirements, 5mins, Dupont.
[19:45:40] <ggm> [this ok? -ggm]
[19:46:06] <wgriffin> ggm: are you asking if the minutes you're taking are ok?
[19:47:44] <ggm> [yep. its terse, but its the best I can do for now -ggm]
[19:48:04] <wgriffin> yes. the minutes are working great for me. terserness is fine.
[19:48:08] <ggm> rollover can be expensive. ex .com with 10% KSKs renewed once/year == 300 rollovers/day.
[19:48:11] <ggm> needs to be automatied
[19:48:38] <ggm> reqts. chains valid at all times. caches need to be taken into account. private keys can be on other boxes.
[19:48:43] <ggm> open issues: emergency rollovers
[19:50:45] --- lisaDusseault has joined
[19:53:49] <ggm> draft needs comments. coordination with dnsext? mechanisms/protocols to be explored
[19:56:33] <ggm> DNSSEC operational practices, Olaf Kolkmann
[19:56:38] <ggm> 'consider this a teaser'
[19:57:04] <ggm> operational experiences, mainly workshops/experiments. things we think might be useful for people rolling out DNSSEC.
[19:57:30] <ggm> tries to identify differences between plain DNS and DNSSEC. intent is to work the doc, publish as informational after a couple of iterations
[19:57:44] <ggm> Document is about TIME. DNSKEY and PArental Policies.
[19:58:08] <ggm> How RR sets propagate through the system. new: behaviour now depends on two RRsets propagating through the system at different speeds
[19:58:24] --- jm has joined
[19:59:13] <ggm> TIME is new. dns always used to be about relative time, timers are counters. ttls are count-down, suddenly we have to sit on expiration time which is absolute time. also time now sets when things disappear from caches. do not want SIG validity time to die as cache dies. this would break you badly.
[19:59:28] <ggm> need to push new sigs at least 1 tyme ttl before RRSIGs expire.
[19:59:52] <ggm> SOA expiration doesn't know about DNSSEC. if secondary can't reach primary, sigs may have expired. will not be noticed.
[20:00:00] <ggm> DNSKEY issues
[20:00:33] <ggm> key size recommendations. based on 'journal of cryptography' article Lenstra/Verheul. give indications of key sizes for coming years, felt comfortable quoting their numbers.
[20:00:54] <ggm> key rollover scenarios. DNSKEYs and RRSIGs are decoupled. travel through DNS system differently
[20:01:01] <ggm> Key rollover scenarios.
[20:01:14] <ggm> Always make sure there is a DNSKEY in chache to verify the RRSIG from auth server.
[20:01:37] <ggm> ZSK rollovers
[20:01:53] <ggm> double sig rolls, good for large zone files (differential ZSK rollover times)
[20:02:04] <ggm> also pre-publish key to be used in the future.
[20:14:14] --- wgriffin has left: Disconnected
[20:18:35] --- wgriffin has joined
[20:19:01] <ggm> details on double sigs proposal. how it works.
[20:19:01] <ggm> need to plan for emergency rollover. parental policy considerations. how to excg and store keys. security 'lameness' (referring to a non-existant key)
[20:19:01] <ggm> DS validity checking
[20:19:05] <ggm> doc is in the WG. would like to see tests of documented procedures. nits to Kolkman/Gieben, content to the list.
[20:19:05] <ggm> Rob Austein, not as chair. ttl constraints discussion is useful, recommendations may not be where you want to go.
[20:19:05] <ggm> Key size. want to talk to other people. more expertise needed
[20:19:05] <ggm> Key rollover. good stuff. good to have it written down
[20:19:05] <ggm> Ed Lewis. time is scary
[20:19:05] <ggm> sorry. went offline DHCP lossage and visit to the washroom.
[20:19:05] <ggm> Rob Austein. inaddr required. author got tired of fighting. people jumping up and down. title is misleading.
[20:21:37] <ggm> Itojun took token to re-write draft and bring back to life
[20:22:05] <ggm> Charter items. DNSSEC ops. IPv6 co-existence Root/TLD/Gen-dns-zone
[20:23:53] --- jm has left
[20:24:01] <ggm> DNSSEC, left alone for now.
[20:24:06] <ggm> IPv6 co-existence.
[20:24:45] <ggm> pekka. useful to have doc describing current practices.
[20:25:52] --- lisaDusseault has left: Disconnected
[20:28:59] <ggm> doesn't seem like a lot of work being done in the last areas Root/TLD./gen-dns-zone issues
[20:35:10] <ggm> Expired Drafts
[20:35:12] <ggm> Dont publish unreachables. still work on?
[20:39:57] <ggm> survey of time convergeance in servers based on info in DNSSEC responses
[20:45:23] --- wgriffin has left: Disconnected
[21:01:55] --- yone has left
[21:11:56] <ggm> sorry. I should have said. it finished early. ran out of agenda.
[21:12:20] <ggm> (whats left for next day of dnsop was left, because some people decided to come on that day only so was not brought forward)
[21:27:16] --- ggm has left
[21:27:17] --- jis has joined
[21:28:14] --- jis has left
[21:41:32] --- orange has left: Replaced by new connection