Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy

21 Mar 06IETF-65/dnsext Rollover Req 2 Short Background Multiple proposals ‘on the table’ for trust anchor rollover During dnsext meeting at IETF-64, working group decided that various proposals were solving different problems –We need a Requirements Document Editors Volunteered –WG Co-chairs directed WG to send trust anchor rollover requirements directly to editors

21 Mar 06IETF-65/dnsext Rollover Req 3 Short Background (cont.) Small number of requirements stated at Vancouver WG meeting Editors’ “ground rules” –Editors would not look at any proposed solutions while creating the ID –Editors would not include any of their requirements in the 00 ID Editors received very few requirements inputs after the meeting

21 Mar 06IETF-65/dnsext Rollover Req 4 Short Background (cont.) The editors were LATE producing the document (sorry) Individual requirements ID was published a short time before the initial WG ID was complete

21 Mar 06IETF-65/dnsext Rollover Req 5 Rollover Req Current State Two requirements documents published as ID’s –Much discussion of WG ID on the list 10 requirements identified in WG ID 100 messages since 21 Feb announcement of ID Initial discussion centered ‘completeness’ of ID –Comments about definitions containing requirements –Hilarie Orman provided contrast with individual ID Approximately 90 messages dealing with one issue Small number (~10) messages related to another requirement

21 Mar 06IETF-65/dnsext Rollover Req 6 Rollover Req Current State (cont.) Individual submission ID published shortly before WG ID –ID lists 10 requirements –Compare & contrast later in presentation –Small amount of discussion on the list Comments made centered on concerns about the availability &/or encumbrance of takrem

21 Mar 06IETF-65/dnsext Rollover Req 7 WG ID Requirements State 5.1 Scalability –no discussion –text may be acceptable 5.2 No Intellectual Property Encumbrance –HUGE amount of discussion –Seem to have sufficient words 5.3 General Applicability –minimal discussion –text may be acceptable

21 Mar 06IETF-65/dnsext Rollover Req 8 WG ID Requirements State (cont.) 5.4 Support Private Networks –no discussion –text may be acceptable 5.5 Support Reconnecting Systems –minimal discussion - length of time needed to support re-connecting off-line systems needs to be decided –descriptive text may be acceptable

21 Mar 06IETF-65/dnsext Rollover Req 9 WG ID Requirements State (cont.) 5.6 Manual Operations Permitted –Moderate amount of discussion –Not clear if current text captures requirement –May result in more than one requirement particularly WRT ‘mandatory to implement’ 5.7 Planned and Unplanned Rollovers –minimal discussion –text may be acceptable

21 Mar 06IETF-65/dnsext Rollover Req 10 WG ID Requirements State (cont.) 5.8 Timeliness –no discussion –text may be acceptable 5.9 High Availability –no discussion yet but some is needed –basic text may be acceptable 5.10 New RR Types –no discussion yet but some is needed –basic text may be acceptable

WG Rollover Requirements Summary Req # Concept & Details Probably Okay Concept Okay - Details Need Work Requirement Needs Work 5.1X 5.2X 5.3X 5.4X 5.5X 5.6X 5.7X 5.8X 5.9X 5.10X

21 Mar 06IETF-65/dnsext Rollover Req 12 WG ID General Comments Comment: “Definitions contain embedded requirements” –Response: May be correct but content of definitions was developed by the editors who: Avoided putting their own requirements in ID needed more terminology than was defined in RFC 4033 –Text provided already will be included in 01

21 Mar 06IETF-65/dnsext Rollover Req 13 General Comment Comment: Comparison of Individual ID & WG ID by Hilarie Orman –Each document has good points –Neither document is complete Response: Desires of WG are not clear –Minimal discussion on list WRT comparison –No statements of support or opposition to suggestion that requirements are “incomplete”

21 Mar 06IETF-65/dnsext Rollover Req 14 General Comment (cont.) Tried to extract specific requirements from individual ID but didn’t succeed: –Not clear that Hilarie’s abstraction matched author’s intent for the requirement –ID describes & defines a number of operational practices that are normally ‘local policy’ in IETF specifications –ID seems to define security requirements that extend well beyond trust anchor rollover These may be needed but that’s beyond the scope of the current Trust Anchor rollover requirements document –Usage of some terms seems inconsistent with RFC-4033

21 Mar 06IETF-65/dnsext Rollover Req 15 General Comment (cont.) Seeking input from the WG: –Do folks see requirements in the individual ID that should be included in the WG ID? Are folks willing to provide text? –From a broader perspective, do folks believe there are requirements that are not currently in the WG ID? (Personal comment, I really think there must be but as an editor, I don’t want to ‘invent’ them)

21 Mar 06IETF-65/dnsext Rollover Req 16 What’s Next? Publish an 01 version that incorporates current revisions –Hoping to send 01 to ID editor by the end of next week Plea from the editors for more discussion on current or new requirements –Discussion on one challenging requirement seems to have consensus –There are currently nine others that we need to be sure we reach consensus on quickly. If you like some requirement &/or wording, say so If you don’t, say that also but please provide text

Other Comments, Questions or Suggestions?

21 Mar 06IETF-65/dnsext Rollover Req 18 Other Comments, Questions or Suggestions?