dnsext 63 next steps in trust anchor management for dnssec n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC PowerPoint Presentation
Download Presentation
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC

Loading in 2 Seconds...

play fullscreen
1 / 11

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC. Ólafur Guðmundsson ogud @ogud.com. Current Status . 2 drafts: Threshold n out of m Timers IPR claim filed against both drafts Patent is issued in Israel License terms Royalty free

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC' - austin-wilson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
current status
Current Status
  • 2 drafts:
    • Threshold n out of m
    • Timers
  • IPR claim filed against both drafts
    • Patent is issued in Israel
    • License terms
      • Royalty free
        • Clause about references causes problems for some implementers
      • IPR holder wants to update IPR statement with new terms but not posted yet
larger picture
Larger picture
  • Lack of DNSSEC KEY management is may soon become the excuse “de Jour” for not doing DNSSEC
  • Large TLD’s will not deploy DNSSEC any time soon without a market.
    • In early deployment “configured” trust anchors will be the rule
    • The need for configured trust anchors may never go away
next steps
Next steps:
  • WG needs to get more active on this issue or DROP IT completely
  • WG owes the proposals:
    • DISCUSSION
    • FEEDBACK
    • Selection criteria
    • Timeline
why we need trust anchor management tam

“.”

ORG

COM

DE

IS

UK

SE

IETF

OGUD

ISOC

DENIC

www

OPS

Why we need Trust Anchor Management (TAM)
  • Secure Entry Points
  • .SE enables all domains with DS to be trusted
  • Root will always need TAM.

RFC

PAF

trust anchor timers
Trust Anchor: Timers
  • One optional protocol change
    • DNSKEY Revoke bit
      • Invalidates DS/DNSKEY fast, this is a revocation schema for DNSSEC
        • “immediately” is within the traditional DNS sense of:
          • zone update propagation delay + TTL
resolver trust anchor state machine
Resolver Trust Anchor State Machine

NB: Differs slightly from

ID version!

trust anchors n out of m
Trust Anchors: n out of m
  • Larger DNSKEY set required
open mike
Open Mike
  • Comments on proposals
  • Comments
next step
Next Step
  • Advance
    • One
    • Both
    • Neither
  • Take discussion to mailing list