Notes of an Ad-Hoc Meeting 17/07/03
NOTES OF AN AD-HOC MEETING HELD AT NZRS ON THURSDAY 17 JULY TO DISCUSS GEEK.NZ, DNSSEC AND IPV6 COMMENCING AT 12.00 P.M.
Present:
David Farrar (VP, InternetNZ), Nick Griffin (NZRS Manager), Debbie Monahan (Domain Name Commissioner), Andrew McMillan (Catalyst IT), Don Stokes (INZ Technical Cmte), David Zanetti (INZ Technical Cmte), Dean Pemberton (geek.nz applicant), Andy Linton (geek.nz proponent) and Ewen McNeill (geek.nz groupie)
Background:
The meeting was to discuss the proposal (at http://www.dnc.org.nz/content/geek_2nd_round_abley_et_al.pdf) by Dean Pemberton, Joe Abley and Andy Linton with regards to the new geek.nz 2LD and DNSSEC.
Discussion:
The proponents clarified that they would actually like DNSSEC used throughout the .nz TLD, not just for geek.nz but thought that geek.nz could be used initially, if this was desirable. As DNSSEC can slow down the push of a zone file, it might be preferable to start with a smaller zone of say 500 than the .nz zone of 130,000 or so.
In response to a question on whether the IETF has concluded an RFC on DNSSEC, the reply was is that it is in the final stages and the outstanding issuers are very minor.
The DNC stated that her concern and the likely concern of NZOC is that all registrants have the same rights and the SLA between InternetNZ and NZRS is met. It was clarified that having DNSSEC would allow registrants of 3LD names to gain the benefit of also using DNSSEC , but that it would not be compulsory.
It was clarified that one could run a DNSSEC signed zone on the same server as a normal zone, so that the proposal does not have to involve servers outside those currently used by NZRS, however the offer from, the proponents to provide name servers still stands if a separate deployment environment is wanted.
Introduction of DNSSEC would preferably involve some changes to the SRS also, not just to name servers, so people can put their DNSSEC keys into the SRS and hence into the DNS.
In terms of other ccTLDs which have introduced DNSSEC, it was stated the .nl have introduced it, but at this stage they are not using it in their zone files. There is an opportunity for InternetNZ to be seen as a leader in providing extra security.
The NZRS Manager said that the four issues for NZRS are likely to be:
- Who pays?
- Defining the project, what is involved and reasonable time-frames
- What are the success criteria?
- Risk Management issues
There was brief mention of IPv6 also. At some stage the Registry will need to be able to accept IPv6 glue records, as .au now does for example. This could be implemented once APNIC advises of a certain threshold of Ipv6 allocations or it may be practical to combine it with any introduction of DNSSEC, so that there is only one RIK update. Accepting Ipv6 glue records is an easier change to implement than DNSSEC according to the technical experts.
The proponents said that they and other colleagues will be very happy to assist InternetNZ and NZRS in introducing DNSSEC if that is the decision made.
Consensus:
The consensus of the meeting was that the best way to move the issue forward would be to report back to the INZ Council and ask them to resolve to ask NZRS to favourably consider the introduction of DNSSEC and IPv6 to the .nz TLD. This would then allow NZRS to define the project and report on likely costs, what is involved, achievable time-frames, risks etc.It was stressed that NZRS already has considerable planned work, and any request from Council, would have to be considered as part of the overall work programme of NZRS.
The meeting closed at 2.00 p.m.
Recommendation:
The motion I propose gets placed before Council is:
"That InternetNZ request .nz Registry Services to plan for the introduction of DNSSEC and Ipv6 to the .nz TLD, and for .nz Registry Services to report back on how this can be achieved."
