Donate
‹ Back
Deploy360 8 March 2013

DNSSEC Discussion In DNSOP Working Group At IETF86 Next Week

Dan York
By Dan YorkDirector of Web Strategy

IETF LogoAt the 86th meeting of the Internet Engineering Task Force (IETF) next week in Orlando there is one primary working group where DNSSEC will be discussed, the DNSOP (DNS Operations) working group.  As noted in our recently-published “Rough Guide To IETF 86’s Hot Topics“, DNSOP develops guidelines for the operation of DNS software servers and the administration of DNS zone files. It also documents DNSSEC operational procedures and looks at DNS-related IPv6 transition and coexistence issues.

The meeting is on Thursday, March 14, from 17:30 – 18:30 US Eastern time. The agenda and working group charter are:

Agenda: https://datatracker.ietf.org/meeting/86/agenda/dnsop/
Charter: https://datatracker.ietf.org/doc/charter-ietf-dnsop/

There are two major DNSSEC-related documents being discussed. First is draft-livingood-negative-trust-anchors, an interesting idea about how to use a “Negative Trust Anchor” to indicate within the DNSSEC-validating resolver that you want to accept DNS records for a given domain even if the DNSSEC-validation cames back as bad.  The primary use case for this is when there is a breakage of the DNSSEC chain of trust caused by, for instance, accidentally letting a key expire for a domain.  This idea came about from the team at Comcast when they dealt with issues like the nasa.gov key expiration.  It’s intended as a temporary measure that administrators can use while we are getting more DNSSEC deployed and the tools and processes are still evolving.

The second document is draft-kumari-ogud-dnsop-cds, a new draft that proposes a method of solving the dilemma of how to communicate a new Key Signing Key (KSK) to the parent domain using DNS itself.  This issue has been an ongoing challenge that has been in need of simplification – and this approach is one such proposal.  The mechanism, though, has proven to be quite contentious with a large volume of email to the dnsop mailing list.  It should generate quite an interesting discussion in the DNSOP meeting!

There may be a few other DNSSEC-related documents floating around in other working groups, but the DNSOP group on Thursday will be the major location of DNS-related discussion at this IETF 86 meeting.  Other DNS-related working groups such as DANE and DNSEXT chose not to meet as their work has been going on through the mailing lists and did not require a face-to-face meeting this time.

Note that if you can’t participate in person, there are several ways to participate remotely via audio, Jabber chat, WebEx and MeetEcho.

P.S. 3 of the 4 DO Team members will be at IETF 86 next week – please do say hello if you are there!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Rough Guide to IETF 91: DNSSEC, DANE and DNS Security
Rough Guide to IETF 91: DNSSEC, DANE and DNS Security
Domain Name System (DNS)5 November 2014

Rough Guide to IETF 91: DNSSEC, DANE and DNS Security

IETF 91 will once again be busy for those of us interested in DNSSEC, DANE and DNS security in general. Two...

Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security
Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security
Domain Name System Security Extensions (DNSSEC)15 July 2015

Rough Guide to IETF 93: DNSSEC, DANE, DPRIVE and DNS Security

Wow! There is a crazy amount of DNS activity happening at IETF 93 next week in Prague! Beyond the usual...

Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security
Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security
Domain Name System (DNS)30 October 2015

Rough Guide to IETF 94: DNSSEC, DPRIVE and DNS Security

DNS privacy will be the main topic at IETF 94 in Yokohama related to the overall theme of "DNS security"....

Join the conversation with Internet Society members around the world