[dns-operations] Call for Participation -- ICANN DNSSEC Workshop 20 November 2013

Julie Hedlund julie.hedlund at icann.org
Fri Aug 23 16:22:58 UTC 2013

Call for Participation -- ICANN DNSSEC Workshop 20 November 2013

The DNSSEC Deployment Initiative and the Internet Society Deploy360
Programme, in cooperation with the ICANN Security and Stability Advisory
Committee (SSAC), is planning a DNSSEC Workshop at the ICANN meeting in
Buenos Aires, Argentina on 20 November 2013.  The DNSSEC Workshop has been a
part of ICANN meetings for several years and has provided a forum for both
experienced and new people to meet, present and discuss current and future
DNSSEC deployments.  For reference, the most recent session was held at the
ICANN meeting in Durban, South Africa on 17 July 2013. The presentations and
transcripts are available at: http://durban47.icann.org/node/39749.

We are seeking presentations on the following topics:

1.  DNSSEC Activities in Latin America:
For this panel we are seeking participation from those who have been
involved in DNSSEC deployment in Latin America, but also from those who have
not deployed DNSSEC but who have a keen interest in the challenges and
benefits of deployment.  In particular, we will consider the following
questions:  What can DNSSEC do for you? What doesn't it do?  What are the
internal tradeoffs to implement DNSSEC or not?

2. The Operational Realities of Running DNSSEC
Now that DNSSEC has become an operational norm for many registries,
registrars, and ISPs, what have we learned about how we manage DNSSEC?
What's best practice around key rollovers? How often do you review your
disaster recovery procedures? Is there operational familiarity within your
customer support teams? What operational statistics have we gathered about
DNSSEC? Are there experiences being documented in the form of best
practices, or something similar, for transfer of signed zones?

3.  DNSSEC and Enterprise Activities
DNSSEC has always been seen as a huge benefit to organizations looking to
protect their identity and security on the Web. Large enterprises are an
obvious target for DNS hackers and DNSSEC provides an ideal solution to this
challenge. This session aims to look at the benefits and challenges of
deploying DNSSEC for major enterprises. Topics for discussion:
* What is the current status of DNSSEC deployment among enterprises?
* What plans do the major enterprises have for their DNSSEC roadmaps?
* What are the benefits to enterprises of rolling out DNSSEC validation? And
how do they do so?
* What are the challenges to deployment for these organizations?  Do they
foresee raising awareness of DNSSEC with their customers?

4. When Unexpected DNSSEC Events Occur
What have we learned from some of the operational outages that we have seen
over the past 18 months? Are there lessons that we can pass on to those just
about to implement DNSSEC? How do you manage dissemination of information
about the outage? What have you learned about communications planning? Do
you have a route to ISPs and registrars? How do you liaise with your CERT

5.  Preparing for Root Key Rollover
For this topic we are seeking input on issues relating to root key rollover.
In particular, we are seeking comments from vendors, ISPs, and the community
that will be affected by distribution of new root keys.

6. DANE and Other DNSSEC Applications
The DNS-based Authentication of Named Entitites (DANE) protocol is an
exciting development where DNSSEC can be used to provide a strong additional
trust layer for traditional SSL/TLS certificates. There is strong interest
for DANE usage within web transactions as well as for securing email and
Voice-over-IP (VoIP). We are seeking presentations on topics such as:
* What are some of the new and innovative uses of DANE in new areas or
* What tools and services are now available that can support DANE usage?
* How soon could DANE become a deployable reality?
* How can the industry used DANE as a mechanism for creating a more secure

7.  DNSSEC Automation:
For DNSSEC to reach massive deployment levels it is clear that a higher
level of automation is required than is currently available. Topics for
which we would like to see presentations include:
* What tools, systems and services are available to help automate DNSSEC key
* Can you provide an analysis of current tools/services and identify gaps?
* Where in the various pieces that make up DNSSEC signing and validation are
the best opportunities for automation?
* What are the costs and benefits of different approaches to automation?

8.  Guidance for Registrars in Supporting DNSSEC:
The 2013 Registrar Accreditation Agreement (RAA) for Registrars and
Resellers requires the support of DNSSEC beginning on January 1, 2014. We
are seeking presentations discussing:
* What are the specific technical requirements of the RAA and how can
registrars meet those requirements?
* What tools and systems are available for registrars that include DNSSEC
* What information do registrars need to provide to resellers and ultimately

We are particularly interested in hearing from registrars who have signed
the 2013 RAA and have either already implemented DNSSEC support or have a
plan for doing so.

9.  APIs Between the Registrars and DNS Hosting Operators:
One specific area that has been identified as needing focus is the
communication between registrars and DNS hosting operators, specifically
when these functions are provided by different entities.  Right now the
communication, such as the transfer of a DS record, occurs primarily by way
of the domain name holder copying and pasting information from one web
interface to another. How can this be automated?  We would welcome
presentations by either registrars or DNS hosting operators who have
implemented APIs for the communication of DNSSEC information - or from
people with ideas around how such APIs could be constructed.

In addition, we welcome suggestions for additional topics.

If you are interested in participating, please send a brief (1-2 sentence)
description of your proposed presentation to dnssec-buenosaires at shinkuro.com
by **Friday, 06 September 2013**

We hope that you can join us.

Thank you,

Julie Hedlund

On behalf of the DNSSEC Workshop Program Committee:
Steve Crocker, Shinkuro
Mark Elkins, DNS/ZACR
Cath Goulding, Nominet UK
Jean Robert Hountomey, AfricaCERT
Jacques Latour, .CA
Xiaodong Lee, CNNIC
Russ Mundy, Sparta/Parsons
Ondřej Surý, CZ.NIC
Lance Wolak, .ORG, The Public Interest Registry
Yoshiro Yoneya, JPRS
Dan York, Internet Society

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/f3f20833/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5041 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130823/f3f20833/attachment.bin>

More information about the dns-operations mailing list