... On 2008Oct29, at 7:30 PM, Edward Lewis wrote:
Regardless of my personally agreeing with such a statement or not, here are my reactions to some of the bullets.
At 15:01 +0400 10/29/08, Patrik Fältström wrote:
B - The addition of DNSSEC to the root zone must be recognised as a global initiative.
I'm unclear on the intent of the B statement. See my comment on E.
E - Any procedural changes introduced by DNSSEC should be aligned with the process for coordinating changes to and the distribution of the root zone.
In some interpretations of B & E, these two could be conflicting. I.e., B implies that the current state of root zone management is too centered in the US, E evokes a message encouraging the status quo.
Mind you - I am not commenting on B or E, but my reading of the two leaves come confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented here.
I take B to mean we want the global Internet community to use and trust it. ..and yes control and operation that is less US centric. Thank you for "translating" E. It does evoke the current state of affairs which unfortunately do not best serve DNSSEC (even envisioned in [1]) and contradictory with B. I dont believe anyone is suggesting changing the current distribution mechnism for the root zone...only changing the creation of that zone to secure it and its new contents effectively. The how and who should be up to the community the root serves. IMHO E needs to be removed. It refers to a "process" that is by no means favored by the whole community nor frozen in stone. Why build it into DNSSEC? I have yet to understand the drivers behind E as there are any number of ways to achieve the same "balance" while simlifying and securing the process. Given the will, making such changes does not take a long time. In a previous life in government I have seen greater issues settled, contracts written, and even $$ doled out in less than a month. All depended on what level pressure is applied. Its your root. Design it and make sure it is what you want. ...
K - Changes to the entities and roles in the signing process must not require a change of keys.
I technically disagree with that, if there is a change in the entity performing the zone signing, the private key material should not have to be transferred out in the >transition. The private key material of concern here is the ZSK, not the KSK.
Agreed.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->=- Edward Lewis +1-571-434->5468 NeuStar
Never confuse activity with progress. Activity pays more.
Very much agree ;-) Not speaking for my employer on any of this lest I be looking for another career. -Rick [1] http://www.icann.org/en/tlds/agreements/verisign/root-server-management-tran... signed version elsewhere
On Wed, 2008-10-29 at 15:15 -0700, Richard Lamb wrote:
E - Any procedural changes introduced by DNSSEC should be aligned with the process for coordinating changes to and the distribution of the root zone.
In some interpretations of B & E, these two could be conflicting. I.e., B implies that the current state of root zone management is too centered in the US, E evokes a message encouraging the status quo.
Mind you - I am not commenting on B or E, but my reading of the two leaves come confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented here.
I take B to mean we want the global Internet community to use and trust it. ..and yes control and operation that is less US centric.
Thank you for "translating" E. It does evoke the current state of affairs which unfortunately do not best serve DNSSEC (even envisioned in [1]) and contradictory with B. I dont believe anyone is suggesting changing the current distribution mechnism for the root zone...only changing the creation of that zone to secure it and its new contents effectively. The how and who should be up to the community the root serves.
IMHO E needs to be removed.
It refers to a "process" that is by no means favored by the whole community nor frozen in stone. Why build it into DNSSEC? I have yet to understand the drivers behind E as there are any number of ways to achieve the same "balance" while simlifying and securing the process. Given the will, making such changes does not take a long time. In a previous life in government I have seen greater issues settled, contracts written, and even $$ doled out in less than a month. All depended on what level pressure is applied.
Its your root. Design it and make sure it is what you want.
IIRC, the idea is that adding DNSSEC is independent of any changes to the root system. DNSSEC is largely technical. Reform of the root system is largely political. The two should not be entangled any more than is necessary. This can only result in slowing one or the other down, and confusing what should be viewed as separate goals. Nothing in any of these points should suggest that the process of signing the root cannot be changed. Quite the opposite! If the way the root zone is managed changes, then item E actually means that the signing process should change right along with it. -- Shane
Thank you for the clarification. I agree with your interpretation completely. A link to the dns-wg archives in whatever statement comes out of this would be useful to avoid misinterpretation of any of the items. Sorry for being such an engineer in my comments. Having been a part of the (relatively minor) politics, it seems we should just go for the most secure engineering solution. Guess I have a lot to learn. -Rick -----Original Message----- From: dns-wg-admin@ripe.net [mailto:dns-wg-admin@ripe.net] On Behalf Of Shane Kerr Sent: Thursday, October 30, 2008 5:13 AM To: Richard Lamb Cc: dns-wg@ripe.net Subject: Re: [dns-wg] NTIA and RIPE On Wed, 2008-10-29 at 15:15 -0700, Richard Lamb wrote:
E - Any procedural changes introduced by DNSSEC should be aligned with the process for coordinating changes to and the distribution of the root zone.
In some interpretations of B & E, these two could be conflicting. I.e., B implies that the current state of root zone management is too centered in the US, E evokes a message encouraging the status quo.
Mind you - I am not commenting on B or E, but my reading of the two leaves come confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented here.
I take B to mean we want the global Internet community to use and trust it. ..and yes control and operation that is less US centric.
Thank you for "translating" E. It does evoke the current state of affairs which unfortunately do not best serve DNSSEC (even envisioned in [1]) and contradictory with B. I dont believe anyone is suggesting changing the current distribution mechnism for the root zone...only changing the creation of that zone to secure it and its new contents effectively. The how and who should be up to the community the root serves.
IMHO E needs to be removed.
It refers to a "process" that is by no means favored by the whole community nor frozen in stone. Why build it into DNSSEC? I have yet to understand the drivers behind E as there are any number of ways to achieve the same "balance" while simlifying and securing the process. Given the will, making such changes does not take a long time. In a previous life in government I have seen greater issues settled, contracts written, and even $$ doled out in less than a month. All depended on what level pressure is applied.
Its your root. Design it and make sure it is what you want.
IIRC, the idea is that adding DNSSEC is independent of any changes to the root system. DNSSEC is largely technical. Reform of the root system is largely political. The two should not be entangled any more than is necessary. This can only result in slowing one or the other down, and confusing what should be viewed as separate goals. Nothing in any of these points should suggest that the process of signing the root cannot be changed. Quite the opposite! If the way the root zone is managed changes, then item E actually means that the signing process should change right along with it. -- Shane
participants (2)
-
Richard Lamb
-
Shane Kerr