DNS WG action item list update
Dear DNS WG, during the preparation of the upcoming meeting it was noted that the maintenance of our action item list at <http://www.ripe.net/ripe/wg/dns/actions> has fallen behind a bit. This message attempts to clean up the list and resolve any ambiguity. Please do not hesitate to contact the WG co-chairs if you have any questions or concerns. ----------------------------------------------------------------------------- During RIPE 58, we addressed 57.1 "DLV for NCC maintained TAs" during the RIPE NCC report: Anand talked first about AP 57.1: The RIPE NCC supports signing of the root and had planned to upload its trust anchors into the ISC DLV. He noted that somehow, this has happened without RIPE NCC knowledge. Contact has been made with ISC to investigate how this came about. Further on: ACTION POINT: Anand to document the overhaul of provisioning methods to submit the Trust Anchors of zones signed by the RIPE NCC into ISC DLV. The draft solution to be distributed to the DB WG. This became 58.1 with only being slightly different from 57.1. ----------------------------------------------------------------------------- The summary from RIPE 58 reads: ACTION 58.1: NCC's KSKs in DLV RIPE NCC to followup on the inclusion of RIPE NCC's TAs into ISC DLV ACTION 58.2: IN-ADDR.ARPA objects in the database Child objects for reverse zones in the RIPE DB were causing confusion when a parent object was also present. Since the parent zone was already provisioned the child zone would have no effect. ACTION 58.3: RIPE NCC to evaluate feedback on Lameness Delegation checking and incorporate this into any future work. Report back at RIPE 59. ----------------------------------------------------------------------------- The minutes for RIPE 59 <http://www.ripe.net/ripe/groups/wg/dns/minutes/ripe-59> say: 58.2 IN-ADDR.ARPA objects in the database This has created an action item for the database WG. 58.3 Feedback on lame delegations Research into the lame delegation project will be presented by Shane Kerr (ISC) later in the agenda. Finally, the RIPE 59 minutes say: Peter proposed to keep action item 58.2 open so that the RIPE NCC can take care of this. He recommended closing NCC's KSKs and DLV action items (57.1 and 58.1). There were no objections. and later: Shane said he'd be happy to continue discussion on the mailing list. Peter proposed to close this action item (58.3). The WG agreed with this proposal. The issue of parent/child domain objects in the database for the reverse tree(s) was reported done by the DB group in a mail sent 09 Dec 2010: <http://www.ripe.net/ripe/maillists/archives/dns-wg/2010/msg00113.html> ----------------------------------------------------------------------------- Summary: We are going to list new action items 58.1, 58.2, and 58.3 as described above. All of these plus 57.1 can be marked "done" as per the minutes of RIPE 59 and subsequent email from the NCC's DB group. No Action Items from RIPE 59, Lisbon, October 2009 No Action Items from RIPE 60, Prague, May 2010 No Action Items from RIPE 61, Rome, November 2010 ----------------------------------------------------------------------------- Best regards, Peter
Peter, On 19 Apr 2011, at 18:28, Peter Koch wrote:
Dear DNS WG,
during the preparation of the upcoming meeting it was noted that the maintenance of our action item list at
<http://www.ripe.net/ripe/wg/dns/actions>
has fallen behind a bit. This message attempts to clean up the list and resolve any ambiguity. Please do not hesitate to contact the WG co-chairs if you have any questions or concerns.
-----------------------------------------------------------------------------
During RIPE 58, we addressed 57.1 "DLV for NCC maintained TAs" during the RIPE NCC report:
Anand talked first about AP 57.1: The RIPE NCC supports signing of the root and had planned to upload its trust anchors into the ISC DLV.
Shouldn't this say "had planned not to upload it's trust anchors"? -- Brett Carr Systems Administrator Nominet UK http://www.nominet.org.uk
On 20 Apr 2011, at 09:56, Brett Carr wrote:
Anand talked first about AP 57.1: The RIPE NCC supports signing of the root and had planned to upload its trust anchors into the ISC DLV.
Shouldn't this say "had planned not to upload it's trust anchors"?
I don't think so Brett. Here's an extract from the RIPE57 minutes: There was a question about how to get the trust anchors for the RIPE NCC domains. Anand explained that they could be found on the secure website <https://www.ripe.net/projects/disi//keys/index.html>. Anand was asked to look into DLV, which would make keeping track of key rollovers easier. ACTION: NCC (Anand) to consider DLV for the Trust Anchors maintained by the NCC You might recall a lot of WG activity around RIPE57 was spent on a response to the NTIA proposals for signing the root. And it was unclear how or when .arpa and its subdomains would get signed if/when the root got signed. So at that time, the ISC DLV was pretty much the only option that was open to the NCC for its signed reverse tree. Sigh. IANA's ITAR only handled TLD keys. IIUC the NCC never lodged their KSKs with ISC's DLV thing. Though they somehow ended up there and this created some issues later. PS it should have been "upload its trust anchors". It's a pet peeve of mine when people type "it's" (it is) when they mean "its" (possessive of it). I know. I need to get out more.
On 20/04/2011 11:22, Jim Reid wrote:
IIUC the NCC never lodged their KSKs with ISC's DLV thing. Though they somehow ended up there and this created some issues later.
This was the main issue. ISC imported the NCC's trust anchors without asking. However, we spoke with ISC about this, and resolved it. ISC no longer imports our trust anchors automatically. Instead, we have an account in the ISC TAR, and we choose what goes in, and when. At the moment, we have just 10 islands of trust left in the ISC TAR, and we're just waiting for their parents to be signed. Regards, Anand Buddhdev RIPE NCC
participants (4)
-
Anand Buddhdev -
Brett Carr -
Jim Reid -
Peter Koch