On Nov 6, 2014, at 3:13 PM, Mehmet Akcin wrote: > I would be glad to help with signing. I have experience signing some small > zones
Small zones like the root zone ??:-) --Alain > > Mehmet > >> On Nov 6, 2014, at 7:09 AM, Dr Eberhard Lisse <[email protected]> wrote: >> >> Julie, >> >> as a heads up, the TechWg is considering to do a very lightweight key >> signing ceremony. Ie something for small (cc)TLDs, just the technical >> side, not the two-person rule thing. >> >> I'd like to have Rick Lamb help us if he can, but don't know who to ask. >> >> If that works out I would like to see this becoming a regular >> occurrence. And if that worked one could even look at increasing the >> levels... >> >> el >> >> >>> On 2014-11-06 16:07, Julie Hedlund wrote: >>> Call for Participation -- ICANN DNSSEC Workshop at ICANN 52 in Singapore >>> >>> >>> >>> The DNSSEC Deployment Initiative and the Internet Society Deploy360 >>> Programme, in cooperation with the ICANN Security and Stability Advisory >>> Committee (SSAC), are planning a DNSSEC Workshop at the ICANN 52 meeting >>> on 11 February 2015 in Singapore. The DNSSEC Workshop has been a part >>> of ICANN meetings for several years and has provided a forum for both >>> experienced and new people to meet, present and discuss current and >>> future DNSSEC deployments. For reference, the most recent session was >>> held at the ICANN meeting in Los Angeles on 15 October 2014. The >>> presentations and transcripts are >>> available at: http://la51.icann.org/en/schedule/wed-dnssec. >>> >>> >>> >>> We are seeking presentations on the following topics: >>> >>> >>> >>> 1. DNSSEC activities in Asia >>> >>> >>> >>> For this panel we are seeking participation from those who have >>> been involved in DNSSEC deployment in Asia and also from those who have >>> not deployed DNSSEC but who have a keen interest in the challenges and >>> benefits of deployment. In particular, we will consider the following >>> questions: What can DNSSEC do for you? What doesn't it do? What are >>> the internal tradeoffs to implementing DNSSEC? What did you learn in >>> your deployment of DNSSEC? We are interested in presentations from both >>> people involved with the signing of domains and people involved with the >>> deployment of DNSSEC-validating DNS resolvers. >>> >>> >>> >>> 2. Potential impacts of Root Key Rollover >>> >>> >>> >>> Given many concerns about the need to do a Root Key Rollover, we would >>> like to bring together a panel of people who can talk about what the >>> potential impacts may be to ISPs, equipment providers and end users, and >>> also what can be done to potentially mitigate those issues. In >>> particular, we are seeking participation from vendors, ISPs, and the >>> community that will be affected by distribution of new root keys. We >>> would like to be able to offer suggestions out of this panel to the >>> wider technical community. If you have a specific concern about the >>> Root Key Rollover, or believe you have a method or solution to help >>> address impacts, we would like to hear from you. >>> >>> >>> >>> 3. New gTLD registries and administrators implementing DNSSEC >>> >>> >>> >>> With the launch of the new gTLDs, we are interested in hearing from >>> registries and operators of new gTLDs about what systems and processes >>> they have implemented to support DNSSEC. As more gTLDs are launched, is >>> there DNSSEC-related information that can be shared to help those >>> launches go easier? >>> >>> >>> >>> 4. Guidance for Registrars in supporting DNSSEC >>> >>> >>> >>> The 2013 Registrar Accreditation Agreement (RAA) for registrars and >>> resellers requires them to support DNSSEC from January 1, 2014. We are >>> seeking presentations discussing: >>> >>> * What are the specific technical requirements of the RAA and how can >>> registrars meet those requirements? >>> >>> * What tools and systems are available for registrars that include >>> DNSSEC support? >>> >>> * What information do registrars need to provide to >>> resellers and ultimately customers? >>> >>> >>> >>> We are particularly interested in hearing from registrars who have >>> signed the 2013 RAA and have either already implemented DNSSEC support >>> or have a plan for doing so. >>> >>> >>> 5. APIs between the Registrars and DNS hosting operators >>> >>> >>> >>> One specific area that has been identified as needing focus is the >>> communication between registrars and DNS hosting operators, specifically >>> when these functions are provided by different entities. Currently, the >>> communication, such as the transfer of a DS record, often occurs by way >>> of the domain name holder copying and pasting information from one web >>> interface to another. How can this be automated? We would welcome >>> presentations by either registrars or DNS hosting operators who have >>> implemented APIs for the communication of DNSSEC information, or from >>> people with ideas around how such APIs could be constructed. >>> >>> >>> >>> 6. Implementing DNSSEC validation at Internet Service Providers (ISPs) >>> >>> >>> Internet Service Providers (ISPs) play a critical role by enabling >>> DNSSEC validation for the caching DNS resolvers used by their customers. >>> We have now seen massive rollouts of DNSSEC validation within large >>> North American ISPs and at ISPs around the world. We are interested in >>> presentations on topics such as: >>> >>> * What does an ISP need to do to prepare its network for implementing >>> DNSSEC validation? >>> >>> * How does an ISP need to prepare its support staff and technical staff >>> for the rollout of DNSSEC validation? >>> >>> * What measurements are available about the degree of DNSSEC validation >>> currently deployed? >>> >>> * What tools are available to help an ISP deploy DNSSEC validation? >>> >>> * What are the practical server-sizing impacts of enabling DNSSEC >>> validation on ISP DNS Resolvers (ex. cost, memory, CPU, bandwidth, >>> technical support, etc.)? >>> >>> >>> >>> 7. The operational realities of running DNSSEC >>> >>> >>> >>> Now that DNSSEC has become an operational norm for many >>> registries, registrars, and ISPs, what have we learned about how we >>> manage DNSSEC? What is the best practice around key rollovers? How often >>> do you review your disaster recovery procedures? Is there operational >>> familiarity within your customer support teams? What operational >>> statistics have we gathered about DNSSEC? Are there experiences being >>> documented in the form of best practices, or something similar, for >>> transfer of signed zones? >>> >>> >>> >>> 8. DNSSEC automation >>> >>> >>> >>> For DNSSEC to reach massive deployment levels it is clear that a higher >>> level of automation is required than is currently available. Topics for >>> which we would like to see presentations include: >>> >>> * What tools, systems and services are available to help automate DNSSEC >>> key management? >>> >>> * Can you provide an analysis of current tools/services and identify gaps? >>> >>> * Where are the best opportunities for automation within DNSSEC signing >>> and validation processes? >>> >>> * What are the costs and benefits of different approaches to automation? >>> >>> >>> >>> 9. When unexpected DNSSEC events occur >>> >>> >>> >>> What have we learned from some of the operational outages that we >>> have seen over the past 18 months? Are there lessons that we can pass on >>> to those just about to implement DNSSEC? How do you manage dissemination >>> of information about the outage? What have you learned about >>> communications planning? Do you have a route to ISPs and registrars? How >>> do you liaise with your CERT community? >>> >>> >>> >>> 10. DANE and DNSSEC applications >>> >>> >>> >>> There is strong interest for DANE usage within web transactions as well >>> as for securing email and Voice-over-IP (VoIP). We are seeking >>> presentations on topics such as: >>> >>> * What are some of the new and innovative uses of DANE and other DNSSEC >>> applications in new areas or industries? >>> >>> * What tools and services are now available that can support DANE usage? >>> >>> * How soon could DANE and other DNSSEC applications become a deployable >>> reality? >>> >>> * How can the industry use DANE and other DNSSEC applications as a >>> mechanism for creating a more secure Internet? >>> >>> >>> >>> We would be particularly interested in any live demonstrations of DNSSEC >>> / DANE applications and services. For example, a demonstration of the >>> actual process of setting up a site with a certificate stored in a TLSA >>> record that correctly validates would be welcome. Demonstrations of new >>> tools that make the setup of DNSSEC or DANE more automated would also be >>> welcome. >>> >>> >>> 11. DANE / DNSSEC as a way to secure email >>> >>> >>> >>> The DNS-based Authentication of Named Entities (DANE) protocol is an >>> exciting development where DNSSEC can be used to provide a strong >>> additional trust layer for traditional SSL/TLS certificates. We are both >>> pleased and intrigued by the growing usage of DANE and DNSSEC as a means >>> of providing added security for email. Multiple email servers have added >>> support for DANE records to secure TLS/SSL connections. Some email >>> providers are marketing DNSSEC/DANE support. We would like to have a >>> panel at ICANN 51 focusing on this particular usage of DANE. Are you a >>> developer of an email server or client supporting DANE? Do you provide >>> DANE / DNSSEC support in your email service? Can you provide a brief >>> case study of what you have done to implement DANE / DNSSEC? Can you >>> talk about any lessons you learned in the process? >>> >>> >>> >>> 12. DNSSEC and DANE in the enterprise >>> >>> >>> >>> Enterprises can play a critical role in both providing DNSSEC validation >>> to their internal networks and also through signing of the domains owned >>> by the enterprise. We are seeking presentations from enterprises that >>> have implemented DNSSEC on validation and/or signing processes and can >>> address questions such as: >>> >>> * What are the benefits to enterprises of rolling out DNSSEC validation? >>> And how do they do so? >>> >>> * What are the challenges to deployment for these organizations and how >>> could DANE and other DNSSEC applications address those challenges? >>> >>> * How should an enterprise best prepare its IT staff and network to >>> implement DNSSEC? >>> >>> * What tools and systems are available to assist enterprises in the >>> deployment of DNSSEC? >>> >>> * How can the DANE protocol be used within an enterprise to bring a >>> higher level of security to transactions using SSL/TLS certificates? >>> >>> >>> >>> 13. Hardware Security Modules (HSMs) use cases and innovation >>> >>> >>> >>> We are interested in demonstrations of HSMs, presentations of >>> HSM-related innovations and real world use cases of HSMs and key >>> management. >>> >>> >>> >>> In addition, we welcome suggestions for additional topics. >>> >>> >>> >>> If you are interested in participating, please send a brief (1-2 >>> sentence) description of your proposed presentation to dnssec- >>> <mailto:[email protected]>[email protected] >>> <mailto:[email protected]> by **Wednesday, 03 December 2014** >>> >>> >>> >>> We hope that you can join us. >>> >>> >>> >>> Thank you, >>> >>> >>> >>> Julie Hedlund >>> >>> >>> >>> On behalf of the DNSSEC Workshop Program Committee: >>> >>> Mark Elkins, DNS/ZACR >>> >>> Cath Goulding, Nominet UK >>> >>> Jean Robert Hountomey, AfricaCERT >>> >>> Jacques Latour, .CA >>> >>> Xiaodong Lee, CNNIC >>> >>> Luciano Minuchin, NIC.AR >>> >>> Russ Mundy, Parsons >>> >>> Ondřej Surý, CZ.NIC >>> >>> Yoshiro Yoneya, JPRS >>> >>> Dan York, Internet Society >> >> -- >> Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (Saar) >> [email protected] / * | Telephone: +264 81 124 6733 (cell) >> PO Box 8421 \ / >> Bachbrecht, Namibia ;____/
