110 likes | 225 Views
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC. Ólafur Guðmundsson ogud @ogud.com. Current Status . 2 drafts: Threshold n out of m Timers IPR claim filed against both drafts Patent is issued in Israel License terms Royalty free
E N D
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson ogud@ogud.com
Current Status • 2 drafts: • Threshold n out of m • Timers • IPR claim filed against both drafts • Patent is issued in Israel • License terms • Royalty free • Clause about references causes problems for some implementers • IPR holder wants to update IPR statement with new terms but not posted yet
Larger picture • Lack of DNSSEC KEY management is may soon become the excuse “de Jour” for not doing DNSSEC • Large TLD’s will not deploy DNSSEC any time soon without a market. • In early deployment “configured” trust anchors will be the rule • The need for configured trust anchors may never go away
Next steps: • WG needs to get more active on this issue or DROP IT completely • WG owes the proposals: • DISCUSSION • FEEDBACK • Selection criteria • Timeline
“.” ORG COM DE IS UK SE IETF OGUD ISOC DENIC www OPS Why we need Trust Anchor Management (TAM) • Secure Entry Points • .SE enables all domains with DS to be trusted • Root will always need TAM. RFC PAF
Trust Anchor: Timers • One optional protocol change • DNSKEY Revoke bit • Invalidates DS/DNSKEY fast, this is a revocation schema for DNSSEC • “immediately” is within the traditional DNS sense of: • zone update propagation delay + TTL
Resolver Trust Anchor State Machine NB: Differs slightly from ID version!
Trust Anchors: n out of m • Larger DNSKEY set required
Open Mike • Comments on proposals • Comments
Next Step • Advance • One • Both • Neither • Take discussion to mailing list