Julie, as a heads up, the TechWg is considering to do a very lightweight key signing ceremony. Ie something for small (cc)TLDs, just the technical side, not the two-person rule thing.
I'd like to have Rick Lamb help us if he can, but don't know who to ask. If that works out I would like to see this becoming a regular occurrence. And if that worked one could even look at increasing the levels... el On 2014-11-06 16:07, Julie Hedlund wrote: > Call for Participation -- ICANN DNSSEC Workshop at ICANN 52 in Singapore > > > > The DNSSEC Deployment Initiative and the Internet Society Deploy360 > Programme, in cooperation with the ICANN Security and Stability Advisory > Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 52 meeting > on 11 February 2015 in Singapore. The DNSSEC Workshop has been a part > of ICANN meetings for several years and has provided a forum for both > experienced and new people to meet, present and discuss current and > future DNSSEC deployments. For reference, the most recent session was > held at the ICANN meeting in Los Angeles on 15 October 2014. The > presentations and transcripts are > available at: http://la51.icann.org/en/schedule/wed-dnssec. > > > > We are seeking presentations on the following topics: > > > > 1. DNSSEC activities in Asia > > > > For this panel we are seeking participation from those who have > been involved in DNSSEC deployment in Asia and also from those who have > not deployed DNSSEC but who have a keen interest in the challenges and > benefits of deployment. In particular, we will consider the following > questions: What can DNSSEC do for you? What doesn't it do? What are > the internal tradeoffs to implementing DNSSEC? What did you learn in > your deployment of DNSSEC? We are interested in presentations from both > people involved with the signing of domains and people involved with the > deployment of DNSSEC-validating DNS resolvers. > > > > 2. Potential impacts of Root Key Rollover > > > > Given many concerns about the need to do a Root Key Rollover, we would > like to bring together a panel of people who can talk about what the > potential impacts may be to ISPs, equipment providers and end users, and > also what can be done to potentially mitigate those issues. In > particular, we are seeking participation from vendors, ISPs, and the > community that will be affected by distribution of new root keys. We > would like to be able to offer suggestions out of this panel to the > wider technical community. If you have a specific concern about the > Root Key Rollover, or believe you have a method or solution to help > address impacts, we would like to hear from you. > > > > 3. New gTLD registries and administrators implementing DNSSEC > > > > With the launch of the new gTLDs, we are interested in hearing from > registries and operators of new gTLDs about what systems and processes > they have implemented to support DNSSEC. As more gTLDs are launched, is > there DNSSEC-related information that can be shared to help those > launches go easier? > > > > 4. Guidance for Registrars in supporting DNSSEC > > > > The 2013 Registrar Accreditation Agreement (RAA) for registrars and > resellers requires them to support DNSSEC from January 1, 2014. We are > seeking presentations discussing: > > * What are the specific technical requirements of the RAA and how can > registrars meet those requirements? > > * What tools and systems are available for registrars that include > DNSSEC support? > > * What information do registrars need to provide to > resellers and ultimately customers? > > > > We are particularly interested in hearing from registrars who have > signed the 2013 RAA and have either already implemented DNSSEC support > or have a plan for doing so. > > > 5. APIs between the Registrars and DNS hosting operators > > > > One specific area that has been identified as needing focus is the > communication between registrars and DNS hosting operators, specifically > when these functions are provided by different entities. Currently, the > communication, such as the transfer of a DS record, often occurs by way > of the domain name holder copying and pasting information from one web > interface to another. How can this be automated? We would welcome > presentations by either registrars or DNS hosting operators who have > implemented APIs for the communication of DNSSEC information, or from > people with ideas around how such APIs could be constructed. > > > > 6. Implementing DNSSEC validation at Internet Service Providers (ISPs) > > > Internet Service Providers (ISPs) play a critical role by enabling > DNSSEC validation for the caching DNS resolvers used by their customers. > We have now seen massive rollouts of DNSSEC validation within large > North American ISPs and at ISPs around the world. We are interested in > presentations on topics such as: > > * What does an ISP need to do to prepare its network for implementing > DNSSEC validation? > > * How does an ISP need to prepare its support staff and technical staff > for the rollout of DNSSEC validation? > > * What measurements are available about the degree of DNSSEC validation > currently deployed? > > * What tools are available to help an ISP deploy DNSSEC validation? > > * What are the practical server-sizing impacts of enabling DNSSEC > validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, > technical support, etc.)? > > > > 7. The operational realities of running DNSSEC > > > > Now that DNSSEC has become an operational norm for many > registries, registrars, and ISPs, what have we learned about how we > manage DNSSEC? What is the best practice around key rollovers? How often > do you review your disaster recovery procedures? Is there operational > familiarity within your customer support teams? What operational > statistics have we gathered about DNSSEC? Are there experiences being > documented in the form of best practices, or something similar, for > transfer of signed zones? > > > > 8. DNSSEC automation > > > > For DNSSEC to reach massive deployment levels it is clear that a higher > level of automation is required than is currently available. Topics for > which we would like to see presentations include: > > * What tools, systems and services are available to help automate DNSSEC > key management? > > * Can you provide an analysis of current tools/services and identify gaps? > > * Where are the best opportunities for automation within DNSSEC signing > and validation processes? > > * What are the costs and benefits of different approaches to automation? > > > > 9. When unexpected DNSSEC events occur > > > > What have we learned from some of the operational outages that we > have seen over the past 18 months? Are there lessons that we can pass on > to those just about to implement DNSSEC? How do you manage dissemination > of information about the outage? What have you learned about > communications planning? Do you have a route to ISPs and registrars? How > do you liaise with your CERT community? > > > > 10. DANE and DNSSEC applications > > > > There is strong interest for DANE usage within web transactions as well > as for securing email and Voice-over-IP (VoIP). We are seeking > presentations on topics such as: > > * What are some of the new and innovative uses of DANE and other DNSSEC > applications in new areas or industries? > > * What tools and services are now available that can support DANE usage? > > * How soon could DANE and other DNSSEC applications become a deployable > reality? > > * How can the industry use DANE and other DNSSEC applications as a > mechanism for creating a more secure Internet? > > > > We would be particularly interested in any live demonstrations of DNSSEC > / DANE applications and services. For example, a demonstration of the > actual process of setting up a site with a certificate stored in a TLSA > record that correctly validates would be welcome. Demonstrations of new > tools that make the setup of DNSSEC or DANE more automated would also be > welcome. > > > 11. DANE / DNSSEC as a way to secure email > > > > The DNS-based Authentication of Named Entities (DANE) protocol is an > exciting development where DNSSEC can be used to provide a strong > additional trust layer for traditional SSL/TLS certificates. We are both > pleased and intrigued by the growing usage of DANE and DNSSEC as a means > of providing added security for email. Multiple email servers have added > support for DANE records to secure TLS/SSL connections. Some email > providers are marketing DNSSEC/DANE support. We would like to have a > panel at ICANN 51 focusing on this particular usage of DANE. Are you a > developer of an email server or client supporting DANE? Do you provide > DANE / DNSSEC support in your email service? Can you provide a brief > case study of what you have done to implement DANE / DNSSEC? Can you > talk about any lessons you learned in the process? > > > > 12. DNSSEC and DANE in the enterprise > > > > Enterprises can play a critical role in both providing DNSSEC validation > to their internal networks and also through signing of the domains owned > by the enterprise. We are seeking presentations from enterprises that > have implemented DNSSEC on validation and/or signing processes and can > address questions such as: > > * What are the benefits to enterprises of rolling out DNSSEC validation? > And how do they do so? > > * What are the challenges to deployment for these organizations and how > could DANE and other DNSSEC applications address those challenges? > > * How should an enterprise best prepare its IT staff and network to > implement DNSSEC? > > * What tools and systems are available to assist enterprises in the > deployment of DNSSEC? > > * How can the DANE protocol be used within an enterprise to bring a > higher level of security to transactions using SSL/TLS certificates? > > > > 13. Hardware Security Modules (HSMs) use cases and innovation > > > > We are interested in demonstrations of HSMs, presentations of > HSM-related innovations and real world use cases of HSMs and key > management. > > > > In addition, we welcome suggestions for additional topics. > > > > If you are interested in participating, please send a brief (1-2 > sentence) description of your proposed presentation to dnssec- > <mailto:[email protected]>[email protected] > <mailto:[email protected]> by **Wednesday, 03 December 2014** > > > > We hope that you can join us. > > > > Thank you, > > > > Julie Hedlund > > > > On behalf of the DNSSEC Workshop Program Committee: > > Mark Elkins, DNS/ZACR > > Cath Goulding, Nominet UK > > Jean Robert Hountomey, AfricaCERT > > Jacques Latour, .CA > > Xiaodong Lee, CNNIC > > Luciano Minuchin, NIC.AR > > Russ Mundy, Parsons > > Ondřej Surý, CZ.NIC > > Yoshiro Yoneya, JPRS > > Dan York, Internet Society > -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (Saar) [email protected] / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 \ / Bachbrecht, Namibia ;____/
