Dear colleagues,
We feel the time is right to start documenting operational
considerations with respect to deployment of DNSSEC. Miek Gieben and
myself are hereby volunteering to edit such a document.
Our intention is to make a reasonably complete reference for those who
want to deploy DNSSEC in their environment.
Below is a table of content to indicate the topics we want to
cover. We invite everybody to suggest additional topics, share rough
ideas, submit text and/or give input on our approach.
We want to submit a first framework draft before the London IETF and a
fairly advanced draft by the December IETF.
Althought this work will be done as part of the dnsop working
group. We will use the [EMAIL PROTECTED] (majordomo) list for discussing
the details. All drafts will, of course, be posted to the dnsop list.
--Olaf Kolkman [EMAIL PROTECTED]
Miek Gieben [EMAIL PROTECTED]
draft-ietf-dnsop-dnssec-operational-considerations
Table of Contents
1 Introduction......................................
<!--Introduction on the document and it's structure.-->
2 DNSSEC, the basics in one page....................
<!--One page DNSSEC concepts recap. -->
2.1 Public key cryptography and DNSSEC..............
<!--Recap of terminology and important concepts.-->
2.2 Parent and child................................
<!-- Delegating zone publishing authority and signing
authority. -->
2.3 Differences w.r.t. non DNSSEC operations.
<!-- describe additional maintenance tasks refer to elsewhere
in the BCP for details -->
3 Roles and responsibilities.
3.1 domain holder <!-- responsible for zone content -->
3.2 registrar
3.3 registry
3.4 zone administrator <!-- access to the zone file -->
3.5 key-master <!-- has access to keys and can sign -->
4 Key handling
4.1 Why to keep your key secret
4.3 key generation
4.4 Key lifetime.
4.5 Signing system.
<!-- architecture suggestion -->
4.6 Signing process.
<!-- how to prevent the signing of the WRONG data. -->
5 Scheduled Parent Child interactions
5.1 Establishing trust
<!-- First Key exchange -->
5.2 Key roll over
5.3 Nameserver changes
6 Emergency procedures.
6.1 Unscheduled key roll over.
7 Policy issues ....................................
<!-- We are not sure if we want to maintain this section -->
7.1 DNS as a PKI....................................
7.2 Signature and the DNS...........................
7.3 How to publish a policy.........................
8 Timing parameters
8.1 Inventory of timing parameters
<!-- SOA, default TTL, TTL on RRsets, TTL of SIG and KEY
life time of KEY and SIG. -->
8.2 Considerations on timing.
<!-- how do these parameters interact. What are descent values. -->
9 Systems consideration
9.1 Random devices
9.2 Systems security.
9.3 Hardware and OS considerations
References
Appendix
A. Suggested notation for describing key exchanges.
B. Emergency procedure form.
C. Suggested Literature
