Skip to main content

RSSAC Meeting, San Diego

1 August 2004

RSSAC - 19th Meeting

San Diego, CA, USA

Kenjura Cho Ed Lewis Nevil Brownlee
Steve Conte Mark Schlaifer Bill Manning
Jun Murai Jessica Little Greg Ruth - visitor
John Crain Akira Kato Nico Jakobsson
Steve Crocker Andre Robachevsky Mark Kosters
Paul Vixie Matt Larson Johan Ihren
Gerry Sneeringer Brad Verd Lars Liman
Joao Dumas Kim Claffy Brad Huffaker
George Michaelson Yuji Sekai Cathy Murphy
Olaf Kochman Suzanne Woolf  
Fredrick Nevas Doug Barton  

Daniel K not here, was not within telecoms reach, decided not to patch in by phone so no conf. call



  1. Anycast update (vixie)
  2. v6 glue update (manning)
  3. Security (crocker)
  4. ICANN meeting report and administrations (woolf)
  5. Measurement activities (kc, cho)
  6. Future (jun)

1 - Anycast update (vixie)

Successful and wide deployment by about 1/2 servers, no longer controversial.
"everything seems to be ok" is the message.

List as found on
J in 15 sites
M live in Seoul.

I-root some global, some not, depends on local environment 5 new sites about to go live, in various stages of activation. Ones on web taking queries. Tokyo, Bucharest, Ankara coming up. Chicago in installation, Washington, DC later. Also KL/Malaysia.

B-root going to research and education nets.

M-root work in planning. couple of other locations

K-root, plan to deploy 3-4 global nodes during 04-05. 6-10 local nodes

One issue is unique server identification. still issue of dealing with 'which server served me' message info for when things go wrong. server id requirements being perused by Woolf and Austien in IETF DNSEXT wg. Work stalled, restarting.

We need to do dnssec soon, gives ability to track data. attack vector on anycast, "assert I's IP # in odd place, can pretend another instance of I. having signed zone to be published would help"

One can also stand up machine for heavily multi-homed I root, same effect. possible even AS-path checks won't detect. F had 145 BGP peers, before adding 2nd city. from exterior Point of View, multihoming or anycast are not distinguishable. not a new problem. we should use DNSSEC

2 - v6 glue update (manning)

ICANN received approval to add v6 glue for TLDs - added v6 glue for KR,/JP,/FR zones last week. Graph of v6 load from JP from Kato. V6 glue was in the authoritative section of JP. base is 2-5 q/sec, but peak rises to higher end once deployed. from 2 to 4 (!) so still at low end.

V6 glue update, in the last MPLS meeting, talked about separating V6 glue for TLD from glue for roots. The issues are slightly different. Since that meeting, there has been some activity on developing matrix of what will/may occur when we add v6 glue to root servers. We hope we will have fairly detailed matrix available soon, if all else works properly, ought to be able to have it done, do analysis afterward, timed for Nov IETF DC. more to report then. Issues. Packet size, aiming for deployment in 2005

Working on Matrix, report in Nov, something for the next ICANN in Cape Town There may be disparity issues (who's running what server) shooting for 2005 implementation not technically difficult but thoroughness is key!

SSAC - (crocker)
Joint participation between SSAC & RSSAC - lots of overlap.
Can talk about wildcard
Want to talk about DNSSEC

DNSSEC - the slide pack from Verisign?
The dnssec-rm evolution

Deployment - once DNSSEC specs are done.
Discussing what do we do to get from "here" to "there"
Verisign had a similar meeting yesterday
Jim Reid / ISC is running MOTA

ISSUES - a list of unknown length.
Root Keys
Trust Anchors

When? - for stability - 9-18 months.
This is partly due to the need to coordinate between 12 orgs
Therefore it is likely to see TLDs go first

SSAC slides from ICANN/KL
SSAC rotation & replenish
Need a writer...
The Wildcard Report ....

Spec cleanup will he hard.
Does the report describe the "worst" ? KC.
Nope - Crocker.

3 - Security (crocker)

Spent a lot of time on the wildcard problem
Spent a lot of time on dnssec

DNSSEC Deployment (based on his slides)

Spent a lot of time wondering how to deploy dnssec and what the issues are. A separate project has emerged. Long suffering and has taken quite a while, over 10 years. Looking at the future, it's relatively easier to manage the beginning and end than the middle.
IANA/Root is pivotal to dnssec deployment. A deployment project has been spun out to work on issues not solved with existing RFCs
- Root issues
- End Systems
- Trust Anchors
- Privacy
Funding - DHS, US Leadership, EU Leadership, AP Leadership
Communities - IANA, Root Servers, gTLDs, ccTLDs, DNS Vendors

Complicated to deploy dnssec at root due to the variety of demands for transparency and stability. Root server operators are cautionary before announcing that they're dnssec compliant. They are waiting for RFCs to be finalized and stable code available before announcing a real deployment timetable. It is reasonable to wait until 2nd half of 2005 to speculate more on implementation plans.

Sitefinder report
1 Verisign changed the registry; caused harm
2 the change violated engineering principles, blurred architectural layers
3 Verisigns change put itself in the loop for all current and future proto changes
4 the change was abrupt despite long internal dev
5 quick reactions yielded more changes and counter patches
6 email senders and receivers were ingested into Verisign servers
7 web redirection page collected information associated with users
8 the collective events reduced trust overall


1 no new wildcards in TLDs
2 roll back wildcards in existing TLDs
3 Clean up specs
4 enforce proper discipline, including open notice and consensus, for
registry changes

taken up other subjects

- TLD failures (i.e., LY)

4 - ICANN meeting report and administrations (woolf)

RSSAC updated to the board publicly
- working on a separate recommendation re: v6 for the root
didn't have to talk much about anycast (not controversial)
TLDs are interested in deploying something like anycast
IDN - lots of questions about that
IDN is NOT root server issue
ICANN announced AAAA glue support during KL meeting
KR/JP/FR added - more on the way
RSSAC has a liaison to the ICANN nomcom (woolf)
- 3 openings (board)
- 1 gnso
- 2 ccnso
- 3 at large
Issues getting candidates and nomcom have extended the deadline
New deadline is Aug 25

ICANN has invited RSSAC liaison to the board
good time to identify (nominate) liaison from RSSAC
annual appointment via the ICANN bylaws
Suzanne, Bill, & Johan attend meetings pretty often (Matt Larson as well)
Liman brought up that the current RSSAC participants are currently funded by their respective organization. ICANN covering travel costs will mean a loss.

General agreement to put call on list, wait for replies for a week, then Jun selects.

5 - Measurement
KC - two sigcom papers.
Projects - (vixie demos DSC - software from D.Wessls)

Cho - a caida/wide WS after the IETF. Need input from RSSAC
Presents interesting measurement graphs. 19 sites, has many of the same
Features as the RIPE/DNSMON tool

With anycast - RTT may get worse - Kato
Clock resolution is problematic - if drift exceeds 10ms, it is hard to tell - Vixie

Barton invited to talk about v6 glue issues
Working on adding new glue - ICANN is getting v6 transport.
Delegation procedure docs well received.
Wants to see v6glue for root.

Use existing procedures to get NS glue updated.

6 - Futures - Next meeting date is 06nov - Sunday 15:00-17:00 - WDC IETF-61

Notes taken by: Bill Manning, Steve Conte, George Michaelson, Andrei Robachevsky

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."