Trust Anchor Update Requirements for DNSSEC

1
Trust Anchor Update Requirements for DNSSEC

• Russ Mundy
• mundy_at_sparta.com, mundy_at_tislabs.com
• for the editors
• Steve Crocker, Howard Eland, Russ Mundy

2
Short Background

• Multiple proposals on the table for trust
  anchor rollover
• During dnsext meeting at IETF-64, working group
  decided that various proposals were solving
  different problems
• We need a Requirements Document
• Editors Volunteered
• WG Co-chairs directed WG to send trust anchor
  rollover requirements directly to editors

3
Short Background (cont.)

• Small number of requirements stated at Vancouver
  WG meeting
• Editors ground rules
• Editors would not look at any proposed solutions
  while creating the ID
• Editors would not include any of their
  requirements in the 00 ID
• Editors received very few requirements inputs
  after the meeting

4
Short Background (cont.)

• The editors were LATE producing the document
  (sorry)
• Individual requirements ID was published a short
  time before the initial WG ID was complete

5
Rollover Req Current State

• Two requirements documents published as IDs
• Much discussion of WG ID on the list
• 10 requirements identified in WG ID
• 100 messages since 21 Feb announcement of ID
• Initial discussion centered completeness of ID
• Comments about definitions containing
  requirements
• Hilarie Orman provided contrast with individual
  ID
• Approximately 90 messages dealing with one issue
• Small number (10) messages related to another
  requirement

6
Rollover Req Current State (cont.)

• Individual submission ID published shortly before
  WG ID
• ID lists 10 requirements
• Compare contrast later in presentation
• Small amount of discussion on the list
• Comments made centered on concerns
  about the availability /or encumbrance of takrem

7
WG ID Requirements State

• 5.1 Scalability
• no discussion
• text may be acceptable
• 5.2 No Intellectual Property Encumbrance
• HUGE amount of discussion
• Seem to have sufficient words
• 5.3 General Applicability
• minimal discussion
• text may be acceptable

8
WG ID Requirements State (cont.)

• 5.4 Support Private Networks
• no discussion
• text may be acceptable
• 5.5 Support Reconnecting Systems
• minimal discussion - length of time needed to
  support re-connecting off-line systems needs to
  be decided
• descriptive text may be acceptable

9
WG ID Requirements State (cont.)

• 5.6 Manual Operations Permitted
• Moderate amount of discussion
• Not clear if current text captures requirement
• May result in more than one requirement
  particularly WRT mandatory to implement
• 5.7 Planned and Unplanned Rollovers
• minimal discussion
• text may be acceptable

10
WG ID Requirements State (cont.)

• 5.8 Timeliness
• no discussion
• text may be acceptable
• 5.9 High Availability
• no discussion yet but some is needed
• basic text may be acceptable
• 5.10 New RR Types
• no discussion yet but some is needed
• basic text may be acceptable

11
(No Transcript)
12
WG ID General Comments

• Comment Definitions contain embedded
  requirements
• Response May be correct but content of
  definitions was developed by the editors who
• Avoided putting their own requirements in ID
• needed more terminology than was defined in RFC
  4033
• Text provided already will be included in 01

13
General Comment

• Comment Comparison of Individual ID WG ID by
  Hilarie Orman
• Each document has good points
• Neither document is complete
• Response Desires of WG are not clear
• Minimal discussion on list WRT comparison
• No statements of support or opposition to
  suggestion that requirements are incomplete

14
General Comment (cont.)

• Tried to extract specific requirements from
  individual ID but didnt succeed
• Not clear that Hilaries abstraction matched
  authors intent for the requirement
• ID describes defines a number of operational
  practices that are normally local policy in
  IETF specifications
• ID seems to define security requirements that
  extend well beyond trust anchor rollover
• These may be needed but thats beyond the scope
  of the current Trust Anchor rollover requirements
  document
• Usage of some terms seems inconsistent with
  RFC-4033

15
General Comment (cont.)

• Seeking input from the WG
• Do folks see requirements in the individual ID
  that should be included in the WG ID?
• Are folks willing to provide text?
• From a broader perspective, do folks believe
  there are requirements that are not currently in
  the WG ID?
• (Personal comment, I really think there must be
  but as an editor, I dont want to invent them)

16
Whats Next?

• Publish an 01 version that incorporates current
  revisions
• Hoping to send 01 to ID editor by the end of next
  week
• Plea from the editors for more discussion on
  current or new requirements
• Discussion on one challenging requirement seems
  to have consensus
• There are currently nine others that we need to
  be sure we reach consensus on quickly.
• If you like some requirement /or wording, say so
• If you dont, say that also but please provide
  text

17
Other Comments, Questions or Suggestions?
18
Other Comments, Questions or Suggestions?