[DNSOP] REMINDER: Soliciting presentation proposals for the ICANN DNS Symposium 2024

2024. We will notify accepted speakers and publish a preliminary agenda by 30 August 2024. Thank you, and we hope to see you there! Matt Larson VP, Research, Office of the CTO Managing Director, Washington, D.C. ICANN ___ DNSOP mailing list --

[DNSOP]Announcing the ICANN DNS Symposium 2024 and solicitation of presentation proposals

ttack or outage. To submit a presentation proposal, please send a one-paragraph description of your proposed topic to ids-propos...@icann.org by 26 August 2024. We will notify accepted speakers and publish a preliminary agenda by 30 August 2024. Thank you, and we hope to see you there! Matt Lars

[DNSOP] REMINDER: Soliciting presentation proposals for the ICANN DNS Symposium 2023

we hope to see you there! Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Announcing the ICANN DNS Symposium 2023 and solicitation of presentation proposals

. Thank you and we hope to see you there! Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] REMINDER: Soliciting presentation proposals for ICANN DNS Symposium 2022

th IDS and IANA Community Day, including schedule, venue and registration information, please visit https://www.icann.org/ids. Thank you and we hope to see you there! Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ie

[DNSOP] Announcing the ICANN DNS Symposium 2022 and solicitation of presentation proposals

t zone changes. TLD managers, DNS experts, and other interested parties are encouraged to attend. For more information on both IDS and IANA Community Day, including schedule, venue and registration information, please visit https://www.icann.org/ids. Thank you and we hope to see you there! Matt Lar

[DNSOP] Announcing the ICANN DNS Symposium 2022 and solicitation of presentation proposals

parties are encouraged to attend. For more information on both IDS and IANA Community Day, including schedule, venue and registration information, please visit https://www.icann.org/ids. Thank you and we hope to see you there! Matt Larson VP of Research ICANN Offic

[DNSOP] ICANN Resolver Operator Forum 2021

two hours. Registration information is available at: https://features.icann.org/event/icann-organization/icann-resolver-operator-forum Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman

[DNSOP] REMINDER: ICANN DNS Symposium 2021 and solicitation of presentation proposals

and are looking forward to putting together a great program. Thanks! Matt Larson VP of Research ICANN Office of the CTO Begin forwarded message: From: Matt Larson mailto:matt.lar...@icann.org>> Subject: Announcing the ICANN DNS Symposium 2021 and solicitation of presentation proposals Date:

[DNSOP] Announcing the ICANN DNS Symposium 2021 and solicitation of presentation proposals

e information please visit https://www.icann.org/ids. Thank you and we hope you will join us. Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Cancellation: ICANN DNS Symposium (IDS) 2020 in Paris, France

ncy of international concern by the World Health Organization. Currently, there are no plans to reschedule the IDS in 2020. We will post details regarding IDS 2021 when they become available. Matt Larson VP of Research ICANN Office of the CTO ___

[DNSOP] REMINDER: ICANN DNS Symposium 2020 solicitation of presentation proposals

ubmissions and are looking forward to putting together a great program. Thanks! Matt Larson VP of Research ICANN Office of the CTO Begin forwarded message: From: Matt Larson mailto:matt.lar...@icann.org>> Subject: Announcing the ICANN DNS Symposium 2020 and solicitation of presentation propo

[DNSOP] Announcing the ICANN DNS Symposium 2020 and solicitation of presentation proposals

s://www.icann.org/ids. Thank you and we hope to see you there. Matt Larson VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Save the date: ICANN DNS Symposium (IDS) 2020

e changes have on the DNS for good or ill.. A call for presentations will be posted early next year. Visit https://www.icann.org/ids for more information on the venue and previous IDS events. Thanks, and we hope to see you there! Matt -- Matt Larson, VP of Research ICANN Office of the CTO __

[DNSOP] Root zone KSK-2010 is now revoked

subscribing to ksk-rollo...@icann.org to receive announcements and participate in discussion about the KSK rollover process in particular and DNSSEC in the root zone in general. For the root zone management partners, Matt -- Matt Larson, VP of Research ICANN Office of the

[DNSOP] The root KSK roll has occurred

mailing lists, including this one, so please reply here with any issues or concerns.. Matt -- Matt Larson, VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Save the date: ICANN DNS Symposium (IDS) 2019

rmation on the venue and previous IDS events. Thanks, and we hope to see you there! Matt -- Matt Larson, VP of Research ICANN Office of the CTO ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] One Chair's comments on draft-wessels-dns-zone-digest

> On Jul 31, 2018, at 5:44 AM, Philip Homburg > wrote: > > I wonder if there still is a use case for distributing the root zone. With > QNAME minimization and NXDOMAIN based on NSEC records, the major use cases > seem to be gone. Compared to other zones, the root is massively over > provisione

[DNSOP] REMINDER: Still soliciting presentation proposals for the ICANN DNS Symposium 2018

hope to see you there. Matt Larson VP of Research ICANN Office of the CTO The theme for the IDS 2018 is: “Attention, Domain Name System: Your 30 year scheduled maintenance is overdue”. Remarkable as it may seem, the Domain Name System (DNS) is well into its thirties. The DNS began as an exercise

[DNSOP] Announcing the ICANN DNS Symposium 2018 and solicitation of presentation proposals

proposed topic to ids-propos...@icann.org by 1 June 2018. For more information, including schedule and venue information, please visit https://www.icann.org/ids. Thank you and we hope to see you there. Matt Larson VP of Research ICANN Office of the CTO

Re: [DNSOP] Terminology question: split DNS

> On Mar 19, 2018, at 3:26 PM, Darcy Kevin (FCA) > wrote: > > The trouble with "split horizon" is that it is a term of inter-network > routing of much older and more-established provenance, and thus to use it for > DNS can be viewed as a usurpation, and ultimately, confusing. (I know Cricket

Re: [DNSOP] [Ext] Re: KSK-Sentinal: Once more down the naming rathole.

> On Feb 22, 2018, at 4:33 AM, Ralph Dolmans wrote: > > > On 22-02-18 10:03, Petr Špaček wrote: >> I would prefer decimal for user-friendliness, and zero padding to make >> implementation easier and faster. > > +1, decimal and zero padded to 5 digits to make it fixed length labels. > > -- Ral

Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?

> On Feb 8, 2018, at 12:32 PM, Paul Vixie wrote: > > > > Matt Larson wrote: >> I would love to see BIND's trusted-keys syntax deprecated. Not the >> ability to configure a trust anchor statically, mind you, just the >> syntax. Changing the syntax and

Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?

> On Feb 8, 2018, at 9:43 AM, Joe Abley wrote: > > > >> On 8 Feb 2018, at 09:24, sth...@nethelp.no wrote: >> >>> If just to spread rumors, I heard the following as early as November, 2016. >>> One of the issues is that operators update code without updating >>> configuration files. I.e.,

Re: [DNSOP] A conversational description of sentinel.

> On Feb 7, 2018, at 6:13 AM, Benno Overeinder wrote: > > On 07/02/2018 10:12, Warren Kumari wrote: >> Whoops, last message was blank; finger fail. >> >> >> On Wed, Feb 7, 2018 at 3:57 AM, Warren Kumari wrote: >>> On Wed, Feb 7, 2018 at 2:15 AM, Petr Špaček wrote: Fine. Now we nee

[DNSOP] Announcing draft plan for continuing with the root KSK roll and public comment period

think of the plan and the proposed (not yet final) rescheduled date for the root KSK roll of October 11, 2018. Matt Announcing Draft Plan For Continuing With The KSK Roll By Matt Larson, VP of Research, Office of Chief Technology Officer A formal ICANN public comment <https://www.icann.org

Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones

> On Dec 15, 2017, at 10:37 AM, Joe Abley wrote: > > In practical terms anybody who has a non-root trust anchor installed has a > bidirectional operational relationship with the people who publish it. > Synchronising that trust anchor, with the glorious benefit of a full list of > relying par

Re: [DNSOP] Making draft-ietf-dnsop-kskroll-sentinel apply to all zones

> On Dec 15, 2017, at 10:48 AM, Paul Hoffman wrote: > >> While it's conceptually elegant to have this mechanism easily available to >> the operator of nameservers for any zone, it's not clear to me that this is >> supported by a tangible use case. > > A TLD operator who doesn't really like th

Re: [DNSOP] Call for Adoption: draft-huston-kskroll-sentinel

> On Nov 16, 2017, at 3:23 AM, tjw ietf wrote: > > This starts a Call for Adoption for draft-huston-kskroll-sentinel I support the document and will review and provide comments. Matt ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman

Re: [DNSOP] draft-wkumari-dnsop-internal and DNAME

> On Nov 10, 2017, at 7:12 AM, Stephane Bortzmeyer wrote: > > draft-wkumari-dnsop-internal-00 says "This document requests that the > .internal TLD be assigned to the IANA (similar to the way that > .example is) and a DNSSEC insecure delegation (that is, a delegation > with no DS records) be ins

Re: [DNSOP] Resolver behaviour with multiple trust anchors

The root KSK rollover project has given me a real appreciation for the brittleness of trust anchor configuration, even with RFC 5011. (Automated update support should get better over time, especially after the first KSK roll exposes problems, but right now it's pretty shaky, which is my informed

Re: [DNSOP] Call for Adoption draft-hunt-dnsop-aname

On May 11, 2017, at 6:55 AM, tjw ietf wrote:I'm caught up with my day job, and the discussion on this has died down, but it looks like the work is moving along smoothly, it's time to kick off a Call for Adoption on this document. (well, maybe late). This starts a Call for Adopt

Re: [DNSOP] .arpa

> On Mar 23, 2017, at 2:30 PM, Ted Lemon wrote: > > On Mar 23, 2017, at 2:11 PM, Ralph Droms > wrote: >> No snark intended, but if "the protocol" were really just DNS, we wouldn't >> be having this discussion. Rather, it is the DNS wire protocol using a >> local

[DNSOP] Announcement of ICANN DNS Symposium

ld in the same venue, Hotel NH Collection Madrid Eurobuilding, Calle de Padre Damián, 23, 28036, Madrid, Spain. Register for the Symposium now at https://registration.icann.org/register.php?id=dns-symposium-2017. I hope to see you in Spain! Matt -- Matt Larson VP of Research, Office of the CTO, I

Re: [DNSOP] DNSSEC operational issues long term

t-anchors/root-anchors.p7s)? That signature chains to the ICANN CA cert, which currently expires in 2029. Sure, it's more code, but it can all be done with OpenSSL, for example. Matt -- Matt Larson VP of Research, Office of the CTO, ICANN ___ DN

Re: [DNSOP] Heads-up - draft about "letting localhost be localhost" in SUNSET4 that really should be in DNSOP

> On Nov 20, 2016, at 9:27 PM, Ted Lemon wrote: > > The point is that the current policy for the root precludes an > unsecure delegation. Huh? If by "insecure delegation" you mean "no DS record", then are are plenty such delegations right now: $ comm -23 tlds tlds_with_ds | wc -l 161 I

Re: [DNSOP] DNSSEC operational issues long term

e https://github.com/kirei/dnssec-ta-tools. For background, see Paul's recent DNS-OARC presentation: https://indico.dns-oarc.net/event/25/session/2/contribution/21/material/slides/0.pdf. Matt -- Matt Larson VP of Research, Office of the CTO, ICANN _

Re: [DNSOP] Where in a CNAME chain is the QNAME?

> On Sep 23, 2016, at 4:22 AM, Stephane Bortzmeyer wrote: > > On Tue, Sep 20, 2016 at 06:13:50PM +0200, > Stephane Bortzmeyer wrote > a message of 68 lines which said: > >> This issue was spotted by Peter van Dijk. It is about >> draft-ietf-dnsop-nxdomain-cut-05, recently approved by IESG. Th

Re: [DNSOP] [apps-discuss] Draft of interest in DNSOP: draft-ietf-dnsop-attrleaf

Patrik, > On Aug 9, 2016, at 12:06 PM, Patrik Fältström wrote: > > On 4 Aug 2016, at 18:55, Dave Crocker wrote: > For URI records RFC 7553 says they're either named the same as SRV records, or they use enumservice names from the Enumservice >>> >>> Declaring a namespace as the union

[DNSOP] .com DNSSEC operational message

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Over the next several weeks, Verisign will deploy DNSSEC in the .com zone. This message contains operational information related to the deployment that might be of interest to the Internet operational community. The .com DNSSEC deployment consists of

[DNSOP] .gov DNSSEC operational message

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A KSK roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for

Re: [DNSOP] On resolver priming

On Thu, 11 Nov 2010, Andrew Sullivan wrote: > I think these discussions waste a lot of time, and so as a purely > tactical measure it strikes me that we could shut down that line of > argument by just signing the data. So we should alter critical infrastructure to stifle argument and, by extension

Re: [DNSOP] Should root-servers.net be signed

On Tue, 09 Mar 2010, Tony Finch wrote: > On Tue, 9 Mar 2010, Matt Larson wrote: > > > > Even after .net is signed (in Q4 2010) > > I note that Verisign's press releases say "by Q1 2011" which I find rather > hard to interpret. Why don't they say "

Re: [DNSOP] Should root-servers.net be signed

On Tue, 09 Mar 2010, Wouter Wijngaards wrote: > Also +1 for the consensus analysis about signing: not on the path of > trust but still somewhat useful to do, but not add another TA for it. I have not seen any consensus emerge one way or another regarding signing root-servers.net. Even after .net

Re: [DNSOP] Should root-servers.net be signed

On Mon, 08 Mar 2010, George Barwood wrote: > It's interesting to note that currently > > dig any . @a.root-servers.net +dnssec > > truncates, leading to TCP fallback > > but > > dig any . @l.root-servers.net +dnssec > > does not truncate ( response size is 1906 bytes ). a.root-servers.net's s

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

On Sun, 21 Feb 2010, Eric Rescorla wrote: > On Sun, Feb 21, 2010 at 4:22 PM, Mark Andrews wrote: > > Actually NSEC is technically better at proving non-existance.  NSEC3 > > has a non zero false positive rate due to the fact that the names > > are hashed.  NSEC has a zero false positive rate. > >

Re: [DNSOP] L-Root Maintenance 2010-01-27 1800 UTC - 2000 UTC

On Thu, 28 Jan 2010, Mark Andrews wrote: > The DNSKEY RRset size seems small for testing. We really should > be looking the biggest key set sizes that occur during rollover > simultaneous ZSK/KSK rollovers. Hopefully that is in the planning. The design allows for ZSK rollovers at calendar quarte

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

On Fri, 22 Jan 2010, Paul Wouters wrote: > On Fri, 22 Jan 2010, Alex Bligh wrote: >> I meant computational resource requirements resultant from crypto >> operations, not algorithmic complexity. > > I had no problems doing this on a 1.2M domains TLD zone, using off the > shelf hardware, integrating

[DNSOP] Root zone DNSSEC deployment web site and technical status update

u can reach the entire team at roots...@icann.org. On behalf of the root zone DNSSEC deployment team, Matt Larson -- Status Update, December, 2009 This is the first of a series of technical status updates intended to inform a technical audience on the progress of deploying DNSSEC in the root zo

Re: [DNSOP] I-D Action:draft-liman-tld-names-00.txt

On Sat, 07 Mar 2009, Patrik Fltstrm wrote: > Will there also be a problem with digits within a label? "Probably > not", but I rather see a generic good definition of "the gray area" > and who is responsible for arguing (I an not saying proving here) > whether something is "ok to delegate" or not, a

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

On Wed, 11 Mar 2009, Mark Andrews wrote: > > In message <20090310213643.gn2...@dul1mcmlarson-l1.local>, Matt Larson writes: > > Mark, > > > > On Wed, 11 Mar 2009, Mark Andrews wrote: > > > [...] it is impossible to convert a DS to a DNSKEY prior to the >

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

Mark, On Wed, 11 Mar 2009, Mark Andrews wrote: > [...] it is impossible to convert a DS to a DNSKEY prior to the > publication of the DNSKEY in the DNS. Why would a validator ever need to do this? Matt ___ DNSOP mailing list DNSOP@ietf.org https://www.

Re: [DNSOP] A different question

On Tue, 26 Aug 2008, David Conrad wrote: > On Aug 26, 2008, at 12:08 PM, Matt Larson wrote: > >Note that the root-servers.net zone as configured on > >root.verisignlabs.com is not signed, since the root-servers.net zone > >would not be signed, nor would it need to be, if th

Re: [DNSOP] A different question

On Sat, 23 Aug 2008, Mark Andrews wrote: > > > On Fri, 22 Aug 2008, Mark Andrews wrote: > > > David do you have a nameserver we can bounce queries off > > > which has the root zone signed as it would be in production? > > > > VeriSign's root DNSSEC testbed is serving a root zone that is not >

Re: [DNSOP] A different question

On Fri, 22 Aug 2008, Mark Andrews wrote: > Every machine that is setting DO is asserting that it can > handle the responses the roots will generate. These are > the same sorts of response the servers for SE and BR are > sending. I'm not (just) concerned about individual re

Re: [DNSOP] A different question

On Thu, 21 Aug 2008, David Conrad wrote: > Now, I've always thought a separate root infrastructure that you had > to opt in to would be a good way to go, but this quickly gets bogged > down in extremely annoying (at least to me) layer 9 politics and I'll > let someone else try to push that bo

[DNSOP] Omnibus reply to comments on draft-ietf-dnsop-dnssec-trust-anchor-01.txt

Dear colleagues, Thanks to everyone who reviewed draft-ietf-dnsop-dnssec-trust-anchor-01.txt. In this one message I've replied to several of the emails with comments. A new version (-02) of the draft should appear shortly. See you in Dublin! Matt On Wed, 20 Feb 2008, Suresh Krishnaswamy wrot

Re: [DNSOP] draft-ietf-dnsop-reflectors-are-evil-05.txt

Much against my better judgement, I'm replying to an author who repeatedly shows himself incorrigible. But lest his continued repetition of a false claim--that authority servers can be used to mount as large an attack as open servers--begin to give it an air of truth, I'd like to point out: On Mo

Re: L-Root address change [Re: [DNSOP] AS112 for TLDs]

On Wed, 28 Nov 2007, Peter Koch wrote: > On Tue, Nov 27, 2007 at 02:35:29PM -0800, John Crain wrote: > > > Currently about 60% New IP to 40% old IP... and rising slowly > > > > So clearly a lot of folks still need to up date their hints files :( > > part of that traffic will be due to old hints

Re: [DNSOP] (fwd) I-D ACTION:draft-larson-dnsop-trust-anchor-00.txt

Folks, Thanks for your comments on the document. Olafur and I have prepared a -01 version, which I just submitted. On Tue, 16 Jan 2007, Ed Lewis wrote: > What is a trust anchor? Is it a domain name or is it a specific key > at a domain name? The question comes up when you mention that it > s

[DNSOP] (fwd) I-D ACTION:draft-larson-dnsop-trust-anchor-00.txt

Dear colleagues, I would like to please call your attention to a new Internet-Draft, which Olafur and I volunteered to write. The motivation for the work came out of the DNSSEC Deployment Initiative (please see http://www.dnssec-deployment.org/), which some of you may be familiar with. We would