Internet Architecture Board

RFC2850

IAB to IANA – Request to IANA for status update on deployment of DNSSEC on IANA managed zones, 15 May 2006

Home»Documents»IAB Correspondence, Reports, and Selected Documents»2006»IAB to IANA - Request to IANA for status update on deployment of DNSSEC on IANA managed zones, 15 May 2006

Subject: DNSSEC on IAB related zones Date: Tue, 9 May 2006 21:41:05 +0200 To: iana@iana.org Cc: IAB , David Conrad

Dear David Conrad, DNSSEC is a technology that has taken numerous years to develop and is now in early production deployment. The IAB is an administrative contact for a number of zones and we feel that we have an “example role” in deployment of IETF technology. There are a number of zones for which IANA is the technical and the IAB is administrational contact (.arpa, ip6.arpa, uri.arpa, and urn.arpa). We think that early introduction of DNSSEC on these zones, e.g. this calendar year, would provide incentive to third parties to also sign their zones and therefore might encourage further DNSSEC deployment. On the other hand we consider the maintenance of DNSSEC secured zones a purely technical issue in which the administrative contact has little say. Therefore please consider this mail as a request for a status update on steps taken on deployment of DNSSEC. on behalf of the IAB, –Olaf Kolkman ———————————————————– Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/ 2nd —————————————————————— From: David Conrad
Subject: Re: DNSSEC on IAB related zones Date: Tue, 9 May 2006 13:44:10 -0700 To: “Olaf M. Kolkman” Cc: IAB

Dear Olaf, I’m happy to provide a status update: we’ve thought about it but haven’t done anything as yet. However, we take this note as a statement by IAB that we should do more than think about it. What zones does IAB wish signed? Does IAB wish a role in the signing process? There are a bunch of other details that IANA can either make up on our own (e.g., key lifetime, a key per zone or one key for all IAB zones, etc.) or ask for you all. Will IAB designate someone to work with us as we figure out what we need to do to sign the appropriate zones? Regards, David Conrad General Manager, IANA On May 9, 2006, at 12:41 PM, Olaf M. Kolkman wrote: > Dear David Conrad, >
> DNSSEC is a technology that has taken numerous years to develop and > is now in early production deployment. The IAB is an administrative > contact for a number of zones and we feel that we have an “example > role” in deployment of IETF technology. There are a number of > zones for which IANA is the technical and the IAB is > administrational contact (.arpa, ip6.arpa, uri.arpa, and urn.arpa). > We think that early introduction of DNSSEC on these zones, e.g. > this calendar year, would provide incentive to third parties to > also sign their zones and therefore might encourage further DNSSEC > deployment. On the other hand we consider the maintenance of > DNSSEC secured zones a purely technical issue in which the > administrative contact has little say. Therefore please consider > this mail as a request for a status update on steps taken on > deployment of DNSSEC. >
> on behalf of the IAB, >
> –Olaf Kolkman >
> ———————————————————– > Olaf M. Kolkman > NLnet Labs > http://www.nlnetlabs.nl/ >
>
>

3rd —————————————————————— From: Olaf M. Kolkman Subject: Re: DNSSEC on IAB related zones Date: Mon, 15 May 2006 09:00:16 +0200 To: David Conrad

Dear David, You wrote: > I’m happy to provide a status update: we’ve thought about it but > haven’t done anything as yet. However, we take this note as a > statement by IAB that we should do more than think about it. That is appreciated. > What zones does IAB wish signed? All zones for which IAB has administrative and IANA has technical responsibility. These are: .arpa, ip6.arpa, uri.arpa and urn.arpa. Besides those zones there is will be a new zone based on a document currently in the RFC editor queue; iris.arpa. > Does IAB wish a role in the signing process? DNSSEC provides a cryptographic means for a receiver to check that the data received is the same data as was placed in the zone by the zone maintainer. Since IANA is the zone maintainer I would like us to treat DNSSEC as a purely technical issue which is completely managed by the “technical contact” > There are a bunch of other details that IANA can either make up on > our own (e.g., key lifetime, a key per zone or one key for all IAB > zones, etc.) or ask for you all. Will IAB designate someone to > work with us as we figure out what we need to do to sign the > appropriate zones? The IAB entrusts IANA to work out the details and does not see a formal role except, perhaps, in the area of key-exchange between child and parent. This happens anywhere where DS RRs are to appear in IANA managed e.g in arpa for the e164, in-addr, iris, etc zones but also in iris.arpa for its children. This is an area where there are ‘administrational’ aspects and we probably need to work out some of the details. Obviously I’d be more than happy to act as an (informal) technical sparring partner and a formal interface to the IAB. –Olaf ———————————————————– Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/