Dear RIPE Working Group Member, You are invited to complete the following DNSSEC Survey conducted by .ORG, The Public Interest Registry. The purpose of this survey is to evaluate DNSSEC preparedness and to gain more information on current and future plans to implement DNSSEC. We would greatly appreciate your response, so we hope you are able to take a few minutes to complete this survey. Your responses will remain anonymous as no identity information will be recorded. To participate in the survey, please visit http://guest.cvent.com/v.aspx?1A,Q3,95818ada-0ceb-4ea2-bce2-c2d94d68da13 We look forward to your response, Sincerely, Jakob Schlyter, Kirei AB for .ORG, The Public Interest Registry
Dear RIPE Working Group Member, You are invited to complete the following DNSSEC Survey conducted by .ORG, The Public Interest Registry. The purpose of this survey is to evaluate DNSSEC preparedness and to gain more information on current and future plans to implement DNSSEC. We would greatly appreciate your response, so we hope you are able to take a few minutes to complete this survey. Your responses will remain anonymous as no identity information will be recorded. To participate in the survey, please visit http://guest.cvent.com/v.aspx?1A,Q3,95818ada-0ceb-4ea2-bce2-c2d94d68da13 We look forward to your response, Sincerely, Jakob Schlyter, Kirei AB for .ORG, The Public Interest Registry
On 24 Jun 2008, at 08:56, Jakob Schlyter wrote:
We look forward to your response,
I'll pass. Binary answer-sets to questions which need a more nuanced answer force respondents to give misleading replies. I'ld prefer not to do that. /Niall
Binary answer-sets to questions which need a more nuanced answer force respondents to give misleading replies.
for same reason, i gave up on the second or third page and javascript? shame! randy
On 24 jun 2008, at 10.45, Niall O'Reilly wrote:
On 24 Jun 2008, at 08:56, Jakob Schlyter wrote:
We look forward to your response,
I'll pass.
Binary answer-sets to questions which need a more nuanced answer force respondents to give misleading replies.
I'ld prefer not to do that.
I responded, but many of my responses for this reason ended up being "other". Jakob, I am happy to talk with you instead, and answer the questions with more words. Patrik
why do we need a survey? you don't need a weatherman to know which way the wind blows. sign the bleeping root already. randy
On Tue, Jun 24, 2008 at 08:39:16PM +0900, Randy Bush wrote:
why do we need a survey? you don't need a weatherman to know which way the wind blows. sign the bleeping root already.
randy
go for it Patrick! --bill
On Tue, 24 Jun 2008, bmanning@vacation.karoshi.com wrote:
On Tue, Jun 24, 2008 at 01:00:18PM +0000, Lutz Donnerhacke wrote:
sign the bleeping root already.
Use the signed root. Don't talk about.
Sorry ...
which one?
On Tue, Jun 24, 2008 at 10:16:17AM -0400, Paul Wouters wrote:
On Tue, 24 Jun 2008, bmanning@vacation.karoshi.com wrote:
On Tue, Jun 24, 2008 at 01:00:18PM +0000, Lutz Donnerhacke wrote:
sign the bleeping root already.
Use the signed root. Don't talk about.
Sorry ...
which one?
https://ns.iana.org/dnssec/root.zone.signed
:)
Paul
well, it seems that Randy's admonition to Patrick to "sign the bleeping root already" has ben OBE'd. :) Of course, he could sign it -again- --bill
* Paul Wouters wrote:
On Tue, 24 Jun 2008, bmanning@vacation.karoshi.com wrote:
On Tue, Jun 24, 2008 at 01:00:18PM +0000, Lutz Donnerhacke wrote:
Use the signed root. Don't talk about. which one?
Or any other, you trust. It's *your* validating resolver.
Does anyone happen to know what all of the "bert" entries are in there? badbert. 180 IN NS NS.XTCN.COM. fallbert. 180 IN NS NS.XTCN.COM. goodbert. 180 IN NS NS.XTCN.COM. lazybert. 180 IN NS NS.XTCN.COM. Ray
At 17:42 +0100 6/24/08, Ray.Bellis@nominet.org.uk wrote:
Does anyone happen to know what all of the "bert" entries are in there?
Perhaps this is related... http://bert.secret-wg.org/Root/index.html -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more.
So, the signed root made available at ns.iana.org is a demonstration/ test service. Originally, the plan was that it was going to be a production-quality signed root with its own set of secondaries that would allow folks who wanted to test DNSSEC in actual use to modify their root hints appropriately and go about their business. As part of this demonstration/test service, I felt it appropriate to require the secondaries for that service to enter into an agreement that would require those secondaries to meet a base service level commitment and (more importantly) to agree to discontinue use when the real root was signed. Some of the existing root server operators whom I contacted to provide secondary service felt this threatened their continued operation of their root servers. They requested the service be made non-production quality, e.g., that IANA would take the service down periodically or otherwise make the service unreliable. I personally thought this would render the service essentially unusable for the purposes of validating caching resolver experimentation/testing as it would mean ISPs who wanted to play couldn't point to the signed root in their customer facing resolvers. Instead, Rick Lamb of IANA added some bogus TLDs with various failure modes (e.g., bad signatures, expired signatures, etc.) In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics. The signed root continues to be provided with a very elaborate and secure signing mechanism, but I wouldn't call the service provided at ns.iana.org production quality. FWIW. Regards, -drc On Jun 24, 2008, at 6:42 PM, Ray.Bellis@nominet.org.uk wrote:
Does anyone happen to know what all of the "bert" entries are in there?
badbert. 180 IN NS NS.XTCN.COM. fallbert. 180 IN NS NS.XTCN.COM. goodbert. 180 IN NS NS.XTCN.COM. lazybert. 180 IN NS NS.XTCN.COM.
Ray
In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics.
the little club killed things again. how sad for the internet. randy
On Tue, Jun 24, 2008 at 11:47:03PM +0200, David Conrad wrote:
So, the signed root made available at ns.iana.org is a demonstration/ test service.
and a fine service too.
Some of the existing root server operators whom I contacted to provide secondary service felt this threatened their continued operation of their root servers.
too bad you did not poll more of the operator community.
In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics.
FWIW.
Regards, -drc
those darned checks and balances get in the way again eh? --bill
On Jun 24, 2008, at 4:34 PM, bmanning@vacation.karoshi.com wrote:
those darned checks and balances get in the way again eh?
The irony of this statement by this individual in this context is _truly_ amusing. Regards, -drc
At 19:53 -0700 6/24/08, David Conrad wrote:
On Jun 24, 2008, at 4:34 PM, bmanning@vacation.karoshi.com wrote:
those darned checks and balances get in the way again eh?
The irony of this statement by this individual in this context is _truly_ amusing.
Given http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf and as far as I know, no response back from ICANN to that, followed by the exchange above perhaps the WG should ask about this situation. (But ask whom?) If indeed the (ICANN) root server operators have misgiving about the experiment, could someone operating a root server express the reasons? I realize that the context of the claim (that the root server operators disapproved) is within the confines of the experiment and not (necessarily) production, but perhaps there's a link. Just real curious at this point. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Never confuse activity with progress. Activity pays more.
* Edward Lewis wrote:
Given http://www.ripe.net/ripe/wg/dns/icann-root-signing.pdf and as far as I know, no response back from ICANN to that, followed by the exchange above perhaps the WG should ask about this situation. (But ask whom?)
After the DNSSEC session yesterday on the ICANN meeting in Paris, I had some lengthy discussions with several board members on this subject. My impression is, that ICANN is faced with serios concerns by the US Gov. I think the right way is to prepare a policy proposal for the Cairo meeting later this year. It might be worth thinking who should prepare the proposal.
If indeed the (ICANN) root server operators have misgiving about the experiment, could someone operating a root server express the reasons?
According the the talk today (slides are available on htp://par.icann.org), there are no technical or operational issues anymore.
On Wed, Jun 25, 2008 at 03:28:09PM -0400, Edward Lewis wrote:
At 19:53 -0700 6/24/08, David Conrad wrote: ...polled -some- root server operators..
Emphasis mine
If indeed the (ICANN) root server operators have misgiving about the experiment, could someone operating a root server express the reasons?
two things here. DRC didn't not poll -all- the operators, only some subset that he selected. re misgivings about sanctioned alternate roots that remain persistant... discusssions go back atleast a decade - details in old rssac minutes. in this case, (one) of the concerns is the defacto hijacking of the root zone editorial function - which is still done under contract/MOU wiht DoC and VSGN. Just one POV. --bill
On Jun 26, 2008, at 8:01 AM, bmanning@vacation.karoshi.com wrote:
On Wed, Jun 25, 2008 at 03:28:09PM -0400, Edward Lewis wrote:
At 19:53 -0700 6/24/08, David Conrad wrote: ...polled -some- root server operators.. Emphasis mine
Actually, the sentence you attribute to me was also yours.
If indeed the (ICANN) root server operators have misgiving about the experiment, could someone operating a root server express the reasons?
two things here. DRC didn't not poll -all- the operators, only some subset that he selected.
Indeed (ignoring the presumably spurious 'not' in the above sentence). I also spoke to folks who weren't root server operators (gasp) to provide the secondary service for the demo/test DNSSEC- signed root zone. The goal wasn't to replicate the root server "system" (what would be the point of that?), rather it was to obtain secondaries for a production-quality demo/test service that would go away once the real root zone was signed. I was specifically looking for professionally-operated widely distributed anycast services that had a track record of knowing how to provide root-level DNS and who could spell DNSSEC. As you yourself are aware, there are folks other than the existing root server operators who can do that sort of thing...
re misgivings about sanctioned alternate roots that remain persistant...
Hence the requirement for an agreement, the exact thing into which some of the root server operators I spoke to refused to enter (the non- root server operator folks I spoke to understood the rationale and had no such qualms).
in this case, (one) of the concerns is the defacto hijacking of the root zone editorial function - which is still done under contract/MOU wiht DoC and VSGN.
Riiight. Funny: the data served by ns.iana.org for the DEMO/TEST (hint: not the root name service the data for which is published by VeriSign) service was derived from ftp://ftp.internic.net/domains/root.zone. Of course, discussions with the root server operators didn't get very far once the term "agreement" came up and I quickly lost interest trying to pursue it. My patience for purely non-technical politics isn't what it used to be (and it wasn't that good to begin with). Regards, -drc
* David Conrad wrote:
Originally, the plan was that it was going to be a production-quality signed root with its own set of secondaries that would allow folks who wanted to test DNSSEC in actual use to modify their root hints appropriately and go about their business.
Please start at a.dnssec.thur.de. AXFR is open. It runs for more than two years now for us and our customers.
* Jakob Schlyter:
We would greatly appreciate your response, so we hope you are able to take a few minutes to complete this survey. Your responses will remain anonymous as no identity information will be recorded.
I don't think there's a clear distinction between primary and secondary DNS service these days. Do you mean "primary" == "fed over non-AXFR protocols" and "secondary" == "fed over AXFR/IXFR"?
On 27 jun 2008, at 04.05, Florian Weimer wrote:
* Jakob Schlyter:
We would greatly appreciate your response, so we hope you are able to take a few minutes to complete this survey. Your responses will remain anonymous as no identity information will be recorded.
I don't think there's a clear distinction between primary and secondary DNS service these days. Do you mean "primary" == "fed over non-AXFR protocols" and "secondary" == "fed over AXFR/IXFR"?
I would define primary as the "zone editing function" and secondary as someone doing AXFR/IXFR from a primary. jakob
On Mon, Jun 23, 2008 at 02:24:12PM +0200, Jakob Schlyter wrote:
Dear RIPE Working Group Member,
You are invited to complete the following DNSSEC Survey conducted by .ORG, The Public Interest Registry. The purpose of this survey is to evaluate DNSSEC preparedness and to gain more information on current and future plans to implement DNSSEC.
We would greatly appreciate your response, so we hope you are able to take a few minutes to complete this survey. Your responses will remain anonymous as no identity information will be recorded.
To participate in the survey, please visit http://guest.cvent.com/v.aspx?1A,Q3,95818ada-0ceb-4ea2-bce2-c2d94d68da13
We look forward to your response,
Sincerely, Jakob Schlyter, Kirei AB for .ORG, The Public Interest Registry
question #20 asks, if the respondent needs assistance and if so, rank order the replies. There is no way to say, "no, i don't need assistance" - one must answer and rank order the proffered responses. so when you finally get to my survey, note well that #20 is completely bogus. --bill
participants (12)
-
bmanning@vacation.karoshi.com -
David Conrad -
Edward Lewis -
Florian Weimer -
Jakob Schlyter -
Jakob Schlyter -
Lutz Donnerhacke -
Niall O'Reilly -
Patrik Fältström -
Paul Wouters -
Randy Bush -
Ray.Bellis@nominet.org.uk