Deploy360 8 March 2013

DNSSEC Discussion In DNSOP Working Group At IETF86 Next Week

By Dan YorkDirector, Internet Technology

IETF LogoAt the 86th meeting of the Internet Engineering Task Force (IETF) next week in Orlando there is one primary working group where DNSSEC will be discussed, the DNSOP (DNS Operations) working group.  As noted in our recently-published “Rough Guide To IETF 86’s Hot Topics“, DNSOP develops guidelines for the operation of DNS software servers and the administration of DNS zone files. It also documents DNSSEC operational procedures and looks at DNS-related IPv6 transition and coexistence issues.

The meeting is on Thursday, March 14, from 17:30 – 18:30 US Eastern time. The agenda and working group charter are:


There are two major DNSSEC-related documents being discussed. First is draft-livingood-negative-trust-anchors, an interesting idea about how to use a “Negative Trust Anchor” to indicate within the DNSSEC-validating resolver that you want to accept DNS records for a given domain even if the DNSSEC-validation cames back as bad.  The primary use case for this is when there is a breakage of the DNSSEC chain of trust caused by, for instance, accidentally letting a key expire for a domain.  This idea came about from the team at Comcast when they dealt with issues like the key expiration.  It’s intended as a temporary measure that administrators can use while we are getting more DNSSEC deployed and the tools and processes are still evolving.

The second document is draft-kumari-ogud-dnsop-cds, a new draft that proposes a method of solving the dilemma of how to communicate a new Key Signing Key (KSK) to the parent domain using DNS itself.  This issue has been an ongoing challenge that has been in need of simplification – and this approach is one such proposal.  The mechanism, though, has proven to be quite contentious with a large volume of email to the dnsop mailing list.  It should generate quite an interesting discussion in the DNSOP meeting!

There may be a few other DNSSEC-related documents floating around in other working groups, but the DNSOP group on Thursday will be the major location of DNS-related discussion at this IETF 86 meeting.  Other DNS-related working groups such as DANE and DNSEXT chose not to meet as their work has been going on through the mailing lists and did not require a face-to-face meeting this time.

Note that if you can’t participate in person, there are several ways to participate remotely via audio, Jabber chat, WebEx and MeetEcho.

P.S. 3 of the 4 DO Team members will be at IETF 86 next week – please do say hello if you are there!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...