Editor's note: These minutes have not been edited. From: "James M. Galvin" Subject: Joint DNSSEC/DNSIND Meeting Minutes The DNSSEC and DNSIND working groups met jointly on wednesday, December 11. The agenda was as follows: Introductions Implementation Status Documents draft-ietf-dnsind-dynDNS-11.txt draft-ietf-dnssec-update-02.txt Although it has been announced on the mailing list for some time, Trusted Information Systems (TIS) announced the global availability of their DNSSEC implementation; it has been approved for export in source code form. Note, the source code does not include the cryptographic functions. These are available separately in the US by acquiring RSAREF and outside the US by acquiring RSAEURO. John Gilmore was thanked for his expertise and advice in assisting TIS during the export application process. TIS reported that their implementation of DNSSEC is currently being integrated with the latest version of bind. The completion of this will permit bind to be distributed with support for secure DNS. In parallel they have begun implementing the secure dynamic update specifications. John Gilmore reported that support for SIG and KEY records is in the current production release of BIND (4.9.5). This support allows the RR's to be published and queried, but does no cryptographic validation. You can generate these records using the offline signer in TIS's beta release. The same support, plus additional support for NXT records is already in BIND 8.x, and he is actively working on merging the rest of TIS's DNSSEC into it. In addition, two of the root/com servers are running 4.9.5 and could publish keys and signatures (the rest will have to upgrade to make it possible for the IANA or the InterNIC to publish keys or signature). Paul Vixie reported that the latest version of bind currently supports the latest version of dynamic update without security. In closing, the working group was asked if there were any serious technical objections to the advancement of the two principal documents before them. The dynamic udpate document (dnsind-dynDNS) is in IETF Last Call pending the advancement of the secure dynamic update document (dnssec-update). A technical issue was raised in the secure dynamic update draft (dnssec-update) as to the infeasibility of the reverse key mapping. Since it is not an essential part of the secure update mechanism, it was decided to defer the issue to the mailing list and to move that section of the document to a separate document, thus permiting the advancement of the base document. With this one editorial change it was the consensus of the working groups to submit the secure dynamic update draft (dnssec-update) to the IESG to be considered for publication as a Proposed Standard. All discussion of future work of the working groups was deferred to their respective mailing lists and the meeting adjourned. ---------------------------------------------------------------------------- James M. Galvin galvin@commerce.net CommerceNet +1 410.203.2707 3209-A Corporate Court FAX +1 410.203.2709 Ellicott City, MD 21042 http://www.commerce.net/ http://www.eff.org/blueribbon http://www.eff.org/goldkey