This is the DNSEXT Working Group (where the microphones are at Scandic hights)

1
This is theDNSEXT Working Group(where the
microphones are at Scandic hights)

• San Diego IETF60
• jabberdnsext_at_ietf.xmpp.org

2
Agenda DNSEXT

• Administrivia 5 min
• appointing scribes
• Classic David Blacka
• jabber George Michaelson (dnsext_at_ietf.xmpp.org)
• blue sheet
• agenda bashing
• Monday Aug 2, 0900-1130 1st slotDNSSEC session
• Thursday Aug 5, 900-1015(!?) Other DNSEXT
  extension work.

3
Monday agenda

• Announcements
• Reid DNS-MODA announcement (approx 3 min, no
  discussion)
• DNSSEC Deployment issues
• Report on implementation
• Key management topics (approx 60 minutes)
• StJohns draft-stjohns-dnssec-trustupdate-01
• Ihren DNSSEC in-band key rollover(draft-kolkman-
  dnsext-dnssec-in-band-rollover-00)

4
Monday agenda continued

• Requirements for future work on Denial of
  Existence (approx 60 minutes)
• Loomis/Laurie Requirements overview
• Possible transitions
• Koch draft-ietf-dnsext-dnssec-trans-00.txt
• Possible approaches
• Arends DNSNR draft-arends-dnsnr-00.txt
• Laurie NSEC2 http//www.links.org/dnssec/draft-la
  urie-dnsext-nsec2-01.txt
• Weiler comparing the above
• Wrapup (approx 10 minutes)

5
Thursday AgendaOther DNSEXT work.

• Schlyter Report on RFC 3597 interoperability
  testing.http//www.rfc.se/interop3597
• Eastlake draft-eastlake-tsig-sha-03.txt (10m)
• Austein draft-austein-dnsext-nsid-01.txt (10m)
  (Related to draft-ietf-dnsop-serverid-02 )
• More WG Administrivia
• Document Status
• Charter Review
• Open mike

6
And now for something completely different

• Report on implementation
• Key management topics (approx 60 minutes)
• StJohns draft-stjohns-dnssec-trustupdate-01
• Ihren DNSSEC in-band key rollover(draft-kolkman-
  dnsext-dnssec-in-band-rollover-00)

7
Continuing the agenda

• Intermezzo Vixie DLV
• More discussion of key-managment
• We forgot the MODA announcement
• And then NSEC

8
Process

• NSEC walking is a (perceived) barrier to
  deployment
• The WG cannot force DNSSEC-bis to be deployed and
  may speed deployment if a solution is found
• Therefore we have to seriously consider this
• We have to know what the requirements are before
  we can actually start to engineer

9
Process 2

• We can assess the current proposals on how they
  interact with DNS(SEC) protocol
• We cannot at this moment not assess if they solve
  the problem
• There may be other solutions to the problem
• think white lies schemes
• different complexity/security properties

10
Process 3

• Seriously discuss the requirement to gain
  understanding and assess completeness
• Discuss the two proposals
• Interaction with the protocol
• No measure against the requirements during this
  meeting.
• As always, the room does not decide, the list does

11
Process 4A Warning
SEVEREOlafur may explode
HIGHirreversible physicaldamage may occur
ELEVATED elevated egos may burst
GUARDED general insults maybe exchanged
LOW low risk of protocoldeveloping
12
(No Transcript)
13
This is theDNSEXT Working Group(where the
microphones are at Scandic heights)

• San Diego IETF60
• jabberdnsext_at_ietf.xmpp.org

14
Thursday Meeting

• Other DNSEXT work.
• Classic Scribe (Peter Koch)
• Jabber Scribe

15
Agenda

• Schlyter Report on RFC 3597 interoperability
  testing.http//www.rfc.se/interop3597
• Eastlake draft-eastlake-tsig-sha-03.txt
• Eastlake draft-ietf-dnsext-ecc-key-04.txt
• Austein draft-austein-dnsext-nsid-01.txt (10m)
  (Related to draft-ietf-dnsop-serverid-02 )
• More WG Administrivia
• Document Status
• Charter Review
• Open mike
• Roy Arends on Finger Printing

16
WG Administrivia
17
WG Active docs

• draft-ietf-dnsext-wcard-clarify-03
• Version 4 did not make the cut-off but is ready
  to be submitted.
• draft-ietf-dnsext-tkey-renewal-mode-04
• After WG last call a problem was discovered,
  protocol made unrealistic assumptions
• This has been fixed in 04, a new WGLC will be
  done

18
WG Final stages

• draft-ietf-dnsext-mdns-33
• 33 I-D nits are not satisfied

1.2.3.4.5.6.7.8.9.0.1.2.3.4.5.6.7.8.9.0.1.2.3.4.5.
6.7.8.9.0.1.2.ip6.arpa

• is more than 72 characters.
• draft-ietf-dnsext-insensitive-04
• Waiting for write-up

19
WG stalled

• draft-ietf-dnsext-rfc2536bis-dsa-4
• stalled
• draft-ietf-dnsext-rfc2539bis-dhk-4
• stalled
• draft-ietf-dnsext-ecc-key-4
• stalled
• All waiting for 2535bis. Can be thawed

20
Docs _at_ IESG

• Publication Requested
• draft-ietf-dnsext-dnssec-intro-11
• draft-ietf-dnsext-dnssec-protocol-07
• draft-ietf-dnsext-dnssec-records-09

21
More Docs _at_ IESG

• RFC Ed Queue
• draft-ietf-dnsext-dns-threats-07
• draft-ietf-dnsext-nsec-rdata-06
• AD is watching
• draft-ietf-dnsext-dnssec-opt-in-05
• We focused on getting DNSSECbis done
• draft-ietf-dnsext-axfr-clarify-05
• Waiting for AD write up
• draft-dnsext-opcode-discover-03

22
Still more docs at IESG

• Revised ID Needed
• draft-ietf-dnsext-dhcid-rr-07
• Waiting for DHC WG output.

23
RFC since last time we met

• draft-ietf-dnsext-gss-tsig-07.txt (RFC3645)
• draft-ietf-dnsext-ad-is-secure-07.txt (RFC3655)
• draft-ietf-dnsext-delegation-signer-16.txt
  (RFC3658)
• draft-ietf-dnsext-dnssec-2535typecode-change-07.tx
  t (RFC3755)
• draft-ietf-dnsext-keyrr-key-signing-flag-13.txt
  (RFC3757)

24
New work items

• Does this group mind if we worked on DNSSEC key
  management?
• Would need charter changes
• DNSOP relations and security folk input

25
More new work items

• We propose to work on Zone Enumeration
• Would need charter changes (task description)
• Requirements as first result
• After that we decide on approach

26
The Plan

• Slow but steady progress on getting documents
  from proposed to draft standard
• Clean up the left-overs
• Have the list of docs hanging at the IESG and
  expired docs reduced to NULL by next IETF
• Closely track protocol needs for DNSSEC deployment