Context Navigation

Meetings/Minutes/2009-11-17

2009-11-17

Present: Alex, Antoin, Jakob (part of the meeting), Jan, Rickard, Roland, Rick Zijlker (RickZ), Sion, Stephen

0. Who will write minutes?

Stephen volunteered.

1. Agree on the agenda

Stephen asked that he give a brief report on the OpernDNSSEC meeting held at IETF-76 in Hiroshima.

1a. Hiroshima Meeting

Stephen gave an overview of the meeting - minutes can be found at http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-11-12.

The discussions ended with Rickard summarising:

Major bugs (listed in the Hiroshima discussions) need to be fixed.
1.0 will be delayed by one week; when it is released it will be V1.0rc1
Formal testing work will be divided between Nominet and SIDN
Tests will be done on 1.0rc1
It is anticipated that a second release (1.0rc2) will be made with bugs fixed. This will be retested.
If all OK, it will be released as V1.0.

2. Action items of last meeting

Rickard - include a guide on time durations and fixed points in time for rolling keys in the user documentation
Completed.

Rickard - add to the documentation a simple "how to" description about rolling keys on a specific date
Completed.

Patrik - Rearrange the web site and make it look good
In progress.
Action: Patrik - Rearrange the web site and make it look good.

Matthijs - add story to Pivotal Tracker concerning implementing a loglevel restriction, scheduling it for V1.1
Completed.

All - Look into the key rolling draft and check the algorithm for sanity
No feedback.
Action: Stephen - put something on the mailing list.

Rickard - start thread on mailing list about checking if the default policy is sane for small-scale users
No feedback, so an agenda item was added to this meeting (see below).
Action: Rickard to contact Antti Ristimäki (who has been active on the mailing list) for his feedback.

Patrik - withdraw PDF guide from wiki
Completed.

Alex - add a story to Pivotal Tracker for partial auditing in V1.1
Completed.

Patrik - add a recommendation to the documentation to disable auditing on very large zones
Completed.

Anyone - note that the HIP RR is not supported in OpenDNSSEC 1.0
Completed.

Alex - construct test zone file containing binary names
Completed.

Anyone - check the handling of unknown RR types
Both the signer and auditor need some work.

Anyone - mark MySQL support as experimental unless sufficiently tested before OpenDNSSEC 1.0 Release
Completed.

Stephen - check about giving the OpenDNSSEC presentation to the IEPG
Completed. A talk was given at the IETF-76 IEPG meeting.

3. Release status update

There were no comments on the recent releases.

4. Component status

KASP Enforcer
Sion has added most of the two-step KSK rollover code and hopes to commit later today. He will then look at the memory leak.

Signer

Working on the vanishing RR problem. He has now solved it when RRs are deleted, but now has problems when new RRs are added.
Has fixed a bug in durations.
Has added class inheritance.
Has worked on better communications between the signer and the auditor.

One issue that might be a show-stopper is that the signer assumes that if there are no signature changes, the zone is unchanged (so does not publish it). This affects cases where unsigned delegations are added to a zone. After some discussion, it was agreed that the signer should always publish a new zone when the ods-sign command is issued.
Action: Matthijs - modify signer to always publish zone when ods-sign is issued.

The case of communication between runs of the signer was raised; currently there are seven files in the temporary directory. This will be looked at in a later version of the software.

Auditor

There are performance issues with large number of zones and with large zones. This will be fixed in 1.n of the software; until then, the release notes will list restrictions concerning the auditor.
There are bugs to do with unknown classes (i.e. not IN, CH or HS). They should not take long to fix; however, these are very obsucre cases and are unlikely to come up in practice.

SoftHSM
Rickard is at Surfnet talking about requirements for the next version of the software. One idea is to create an abstraction layer allowing use of OpenSSL or Botan for cryptographic operations. (The reason that SoftHSM does not use OpenSSL is for diversity: a lot of existing software uses OpenSSL.)

More feedback on this idea is required on the mailing list.

5. Features and issues from Pivotal Tracker

Most of the issues have already been discussed in this meeting.

6. Testing

SIDN
Has been working on the requirements/risk analysis for the past two weeks. Results of this will be sent to everyone once all the surveys have been returned.

RickZ is creating and designing test cases, and aims to formally start testing in the second or third week of December.

Nominet
So far unstructured testing, with all issues being raised in Pivotal Tracker. Nominet will join up with SIDN to aid with the structured testing.

.se
Have done a lot of testing. One problem encountered was that of signer threads hanging; they are unsure if this has been fixed in the latest release. They have also tested with multiple zones and have provided feedback on that.

7. Monitor a DNSSEC-signed zone

Alex said that "Monitor" is based on the .se Perl program, checking various details of a signed zone (such as when signatures will expire, etc.). It adds features such as checking the validation chain from the root, checking that child DS records configured correctly. Nominet will be using it to check their nameservers.

It has been added to the OpenDNSSEC repository as a useful tool. More attention will be given to it after V1.

8. Comments on the default KASP

Enable <ShareKeys/>
There was some discussion on this. Enabling this option reduces the number of keys required (so avoiding problems with HSMs that only store a limited number of keys). However, it was felt that it should not be the default.

Enable <KSK><ManualRollover/>
The new two-stage rollover process makes this less important; the only difference is that without it you get warned when you need to do a rollover. It was agreed that this needs to be better documented.

Higher <InceptionOffset>?
After some discussion, it was agreed to set the default value of this to one hour.

<Zone><PropagationDelay> may be as high as 43200 seconds if following recommendations in RFC1912
It was agreed that this value should be set as the default.

<Parent><SOA><TTL> .SE uses 172800 seconds and <Parent><SOA><Minimum> .SE uses 7200 seconds
It was agreed that these values be set as the defaults.

<Parent><PropagationDelay> .SE has 9000 seconds (2h + 15m + 15m), but the last 15m could be much longer
Not discussed due to time limitations.

For all these, it was agreed that:

Documentation should emphasise that the configuration file needs to be edited for individual configurations, and that the default values are highly unlikely to be suitable for everyone.
This sentiment should be reflected in the comments in the configuration file.

Action: Rickard/Jakob - update default values as described above, and update the comments in the configuration file.

9. Documentation

Action: All - read and comment on the user guide.

10. What must be done before 1.0

This was covered in earlier items.

11. What to do after 1.0

Discussion deferred due to lack of time.

12. Marketing

The presentations went OK, with Stephen's attracting the interest of .cn staff at the OARC workshop. Rickard and Stephen gave more or less identical presentations - Rickard's can be found at http://www.internetdagarna.se/wordpress/wp-content/uploads/opendnssec.pdf

Rickard has met with Shane Kerr of ISC, who was hoping to use some ideas from OpenDNSSEC in BIND10.

OpenDNSSEC is also starting to be referred to elsewhere: Johan Ihren (who runs his own training company) refers to it, and a Dutch reseller of "Men & Mice" gave a live presentation of OpenDNSSEC (and wants to give feedback on V2).