RSSAC Meeting, San Diego
1 August 2004
RSSAC - 19th Meeting
San Diego, CA, USA
|Kenjura Cho||Ed Lewis||Nevil Brownlee|
|Steve Conte||Mark Schlaifer||Bill Manning|
|Jun Murai||Jessica Little||Greg Ruth - visitor|
|John Crain||Akira Kato||Nico Jakobsson|
|Steve Crocker||Andre Robachevsky||Mark Kosters|
|Paul Vixie||Matt Larson||Johan Ihren|
|Gerry Sneeringer||Brad Verd||Lars Liman|
|Joao Dumas||Kim Claffy||Brad Huffaker|
|George Michaelson||Yuji Sekai||Cathy Murphy|
|Olaf Kochman||Suzanne Woolf|
|Fredrick Nevas||Doug Barton|
Daniel K not here, was not within telecoms reach, decided not to patch in by phone so no conf. call
- Anycast update (vixie)
- v6 glue update (manning)
- Security (crocker)
- ICANN meeting report and administrations (woolf)
- Measurement activities (kc, cho)
- Future (jun)
1 - Anycast update (vixie)
Successful and wide
deployment by about 1/2 servers, no longer controversial.
"everything seems to be ok" is the message.
List as found on www.root-servers.org
J in 15 sites
M live in Seoul.
I-root some global, some not, depends on local environment 5 new sites about to go live, in various stages of activation. Ones on web taking queries. Tokyo, Bucharest, Ankara coming up. Chicago in installation, Washington, DC later. Also KL/Malaysia.
B-root going to research and education nets.
M-root work in planning. couple of other locations
K-root, plan to deploy 3-4 global nodes during 04-05. 6-10 local nodes
One issue is unique server identification. still issue of dealing with 'which server served me' message info for when things go wrong. server id requirements being perused by Woolf and Austien in IETF DNSEXT wg. Work stalled, restarting.
We need to do dnssec soon, gives ability to track data. attack vector on anycast, "assert I's IP # in odd place, can pretend another instance of I. having signed zone to be published would help"
One can also stand up machine for heavily multi-homed I root, same effect. possible even AS-path checks won't detect. F had 145 BGP peers, before adding 2nd city. from exterior Point of View, multihoming or anycast are not distinguishable. not a new problem. we should use DNSSEC
2 - v6 glue update (manning)
ICANN received approval to add v6 glue for TLDs - added v6 glue for KR,/JP,/FR zones last week. Graph of v6 load from JP from Kato. V6 glue was in the authoritative section of JP. base is 2-5 q/sec, but peak rises to higher end once deployed. from 2 to 4 (!) so still at low end.
V6 glue update, in the last MPLS meeting, talked about separating V6 glue for TLD from glue for roots. The issues are slightly different. Since that meeting, there has been some activity on developing matrix of what will/may occur when we add v6 glue to root servers. We hope we will have fairly detailed matrix available soon, if all else works properly, ought to be able to have it done, do analysis afterward, timed for Nov IETF DC. more to report then. Issues. Packet size, aiming for deployment in 2005
Working on Matrix, report in Nov, something for the next ICANN in Cape Town There may be disparity issues (who's running what server) shooting for 2005 implementation not technically difficult but thoroughness is key!
SSAC - (crocker)
Joint participation between SSAC & RSSAC - lots of overlap.
Can talk about wildcard
Want to talk about DNSSEC
DNSSEC - the slide
pack from Verisign?
The dnssec-rm evolution
Deployment - once
DNSSEC specs are done.
Discussing what do we do to get from "here" to "there"
Verisign had a similar meeting yesterday
Jim Reid / ISC is running MOTA
ISSUES - a list of
When? - for stability
- 9-18 months.
This is partly due to the need to coordinate between 12 orgs
Therefore it is likely to see TLDs go first
SSAC slides from
SSAC rotation & replenish
Need a writer...
The Wildcard Report ....
Spec cleanup will
Does the report describe the "worst" ? KC.
Nope - Crocker.
3 - Security (crocker)
Spent a lot of time
on the wildcard problem
Spent a lot of time on dnssec
(based on his slides)
Spent a lot of time wondering how to deploy dnssec and what the issues are. A separate project has emerged. Long suffering and has taken quite a while, over 10 years. Looking at the future, it's relatively easier to manage the beginning and end than the middle.
IANA/Root is pivotal to dnssec deployment. A deployment project has been spun out to work on issues not solved with existing RFCs
- Root issues
- End Systems
- Trust Anchors
Funding - DHS, US Leadership, EU Leadership, AP Leadership
Communities - IANA, Root Servers, gTLDs, ccTLDs, DNS Vendors
Complicated to deploy dnssec at root due to the variety of demands for transparency and stability. Root server operators are cautionary before announcing that they're dnssec compliant. They are waiting for RFCs to be finalized and stable code available before announcing a real deployment timetable. It is reasonable to wait until 2nd half of 2005 to speculate more on implementation plans.
1 Verisign changed the registry; caused harm
2 the change violated engineering principles, blurred architectural layers
3 Verisigns change put itself in the loop for all current and future proto changes
4 the change was abrupt despite long internal dev
5 quick reactions yielded more changes and counter patches
6 email senders and receivers were ingested into Verisign servers
7 web redirection page collected information associated with users
8 the collective events reduced trust overall
1 no new wildcards
2 roll back wildcards in existing TLDs
3 Clean up specs
4 enforce proper discipline, including open notice and consensus, for
taken up other subjects
- TLD failures (i.e., LY)
4 - ICANN meeting report and administrations (woolf)
RSSAC updated to the
- working on a separate recommendation re: v6 for the root
didn't have to talk much about anycast (not controversial)
TLDs are interested in deploying something like anycast
IDN - lots of questions about that
IDN is NOT root server issue
ICANN announced AAAA glue support during KL meeting
KR/JP/FR added - more on the way
RSSAC has a liaison to the ICANN nomcom (woolf)
- 3 openings (board)
- 1 gnso
- 2 ccnso
- 3 at large
Issues getting candidates and nomcom have extended the deadline
New deadline is Aug 25
ICANN has invited
RSSAC liaison to the board
good time to identify (nominate) liaison from RSSAC
annual appointment via the ICANN bylaws
Suzanne, Bill, & Johan attend meetings pretty often (Matt Larson as well)
Liman brought up that the current RSSAC participants are currently funded by their respective organization. ICANN covering travel costs will mean a loss.
General agreement to put call on list, wait for replies for a week, then Jun selects.
5 - Measurement
KC - two sigcom papers.
Projects - (vixie demos DSC - software from D.Wessls)
Cho - a caida/wide
WS after the IETF. Need input from RSSAC
Presents interesting measurement graphs. 19 sites, has many of the same
Features as the RIPE/DNSMON tool
With anycast - RTT
may get worse - Kato
Clock resolution is problematic - if drift exceeds 10ms, it is hard to tell - Vixie
Barton invited to talk about v6 glue issues
Working on adding new glue - ICANN is getting v6 transport.
Delegation procedure docs well received.
Wants to see v6glue for root.
Use existing procedures to get NS glue updated.
6 - Futures - Next meeting date is 06nov - Sunday 15:00-17:00 - WDC IETF-61
Notes taken by: Bill Manning, Steve Conte, George Michaelson, Andrei Robachevsky