DNSSEC Public Meeting

06/25/2008 - 13:00
06/25/2008 - 15:30
Type and share meeting notes
Live Audio Stream:
What it is | The Security and Stability Advisory Committee (SSAC) actively works to facilitate the deployment of DNSSEC. This session is a public presentation from those actively engaged in the deployment of DNSSEC.

Why it's important | Registries, registrars, and the others who plan to deploy DNSSEC services will benefit from the presentation and discussion of the deployment experience.

Who should attend? | Anyone with an interest in the deployment of DNSSEC, especially registry and registrar representatives from technical, operational, and strategic planning roles.
Agenda details: 
1) Introductions and Welcome
Steve Crocker, Russ Mundy
Co-Chairs of the DNSSEC Deployment Initiative

Included in the opening remarks will be an update on the status
of the recommendations made by SSAC in its Statement to ICANN and
the Community on the Deployment of DNSSEC (SAC026).

2) DNSSEC In The Field

  • SSAC, through the DNSSEC Deployment Initiative, continues to examine the deployment of DNSSEC around the world and invite representatives to present and discuss their design, implementation, and operation of DNSSEC and DNSSEC related activities. In this session we will have several speakers discussing registry plans, trust anchor repositories, and experiences after one year of operation.

a. Registry Services Technical Evaluation Panel (RSTEP) - Update
Lyman Chapin, RSTEP Chair

The RSTEP was created to provide fast responses when a new
registry service is proposed and there are questions about
possible security and/or stability issues. This update will
present the results of the recently completed review of PIR's
proposal to introduce DNSSEC into the .ORG zone.

The report is available on the ICANN web site:


Alexa Raad, President and CEO

c. Approach to DNSSEC by the use of Dynamic Update
Eugenio Pinto, FCCN
Sara Monteiro, FCCN

One of the concerns about implementing DNSSEC is the
processing power consumption and time that is required to sign
an entire zone file. This presentation shows how to put
dynamic updates into the equation in order to reduce the
amount of resources needed. The main purpose is to give some
feedback about test results, allowing others to conclude if
they should follow (or not) the same approach to the problem.

d. Czech Republic Deploys DNSSEC for ENUM
Pavel Tuma <pavel.tuma@nic.cz>

e. Practical DNSSEC Deployment
Lutz Donnerhacke, IKS GmbH, Jena

Starting with DLV as a survey, this talk is about practical
DNSSEC experience. Two years ago DNSSEC was enable on the
ISP's authoritive servers and the customers' recursive
resolvers. As a large scale DNSSEC setup we simulated the
RIPE region of the Internet with DNSSEC signed zones in a
testbed for the bgp.arpa. An AJAX based, interactive, DNSSEC
aware resolver demonstration with the ability to mount
pharming and poisoning attacks was developed to show exactly
how DNSSEC works.

f. IANA DS Registry
Barbara Roseman, IANA

g. DNSSEC at ICANN - Where We Stand
Richard Lamb, IANA

An update of DNSSEC efforts at IANA will be presented.

h. Trust Anchor Repositories (TAR)
Russ Mundy, Sparta

A trust anchor repository provides a means for a DNSSEC
validator to fetch trust anchor information for secure zones,
particularly when the zone's parent zone is not signed. It is
important to note that gaps in the signed name space can be
anywhere, so the problem does not go away even if the root is
signed. The DNSSEC Deployment Initiative has prepared a white
paper describing types of DNSSEC Trust Anchors, along with
their different architectural, operational, and organizational
models. The goal is to lay the foundation for helping the
community decide which approach will most favor the deployment

3) DNSSEC Tools

Several organizations are actively developing software and
hardware to support the deployment of DNSSEC. In this session we
will have several speakers discussing what is currently available
and their plans for the future.

Sparta tools
Russ Mundy, Sparta

Sparta survey of tools
Russ Mundy, Sparta

Secure64 DNSSEC Made Easy
Joe Gersch, VP Engineering, Secure64 Software Corporation


DNSSEC has the potential to eliminate large classes of attacks on
the DNS and greatly increase trust in the world's Internet
infrastructure. However, adoption of DNSSEC has been slowed by
the complexity of managing and rolling signing keys safely and
correctly, and the difficulty of signing large, rapidly changing
zones quickly. In this session, Mr. Gersch will describe new
signing technology that simplifies and automates the process of
deploying DNSSEC, even in the largest and most demanding

Unbound: The design of a validating caching resolver
Jaap Akkerhuis, NLnetLabs

Joao Damas, ISC