<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: ETSI on Minimum Requirements for European ENUM Trials


On (23.10.02 15:20), Richard Shockey wrote:
> So why isnt .COM .NET and .ORG signed?  .UK .DE .US ???   Jim,we both know 
> the answer.
> 
> I totally reject the notion that at this stage of DNSSEC deployment and 
> development it should be a requirement of any ENUM trial.  Maybe at some 
> later date...

I agree to Richard. imho the ENUM thing is already complicated enough
(not the DNS stuff itself, but the administrative challenges of keeping
DNS and E.164 space aligned). 

Adding another "feature" would increase the complexity the trials, and
therefore increase the risk for trials to fail.

> NO ... its probably talking out of class for here but IMHO it is WAY WAY to 
> early to even suggest DNSSEC as part of any TRIAL... where are the client 
> support ...in MS?

yep.

> > And if DNSSEC can be deployed, the experience from a trial will
> >give incredibly valuable insight into how to handle things like key
> >management and so on. Oh, and using DNSSEC would not affect ENUM users
> >or applications that don't bother to check the signatures: they won't
> >even see the crypto gunk if they follow RFC3225 (as they should).

We hope to the trial to give us incredibly value of the first real
interaction between the internet and telephony domain. Isn't that
alone already a challenging mission?

Could we agree on "Securing ENUM DNS zones should be investigated during
the trials?". I think we are a bit leaving off the main path of the
document's pupose which are the "minimum requirements". Those are imho:

- Agreed topology in terms of DNS space mapping between numbering space
  and DNS (exists!)
- Client interaction between trial countries (tbd., depends upon
  standardization of NAPTR contents).
- Working demo applications to gather interest of both internet and
  telephony industries (in porgress)
- Administrative basics covered (processes in place for registration,
  changes, ceases, NAPTR modification)

Everything beyond that is imho nice to have for a _trial_. If securing
the ENUM DNS space is a must for production should be an outcome of the
trial.

> >This is misleading or incorrect. First of all BIND9 is fast enough for
> >just about everybody. It's not yet fast enough for a root server that
> >gets 5-10k queries a second (sustained) unless it runs on really fast
> >hardware. But no other name servers ever get near that level of
> >traffic, except for things like DoS attacks which BIND8 wouldn't be
> >any better at surviving than BIND9.
> 
> Yes .. I still agree that using BIND 9+ is a good requirement.
> 

No one from nllabs crying out?  nsd not an option?

I've already discussed that with richard: Naming vendors and versions is
not a good idea. One should name requirements. I'd suggest:

"Tier1 name server software must support DNAME if numbering plan
includes dial prefix shortcuts. Tier2 name servers must support NAPTR record 
type and. If ENUM DNS space is to be secured during trial, name servers
at both tier1 and tier2 must support secured DNS."

cheers

Alex Mayrhofer



<<< Chronological >>> Author    Subject <<< Threads >>>