Hello, my name is Kim Carlson and along with Kathy Schnitt and Andrew McConachie, we will be monitoring this chat room and the Q&A pod. In this role, I am the voice for remote participants. Please note that questions or comments will only be read aloud if submitted within the Q&A pod. I will read them aloud during the time set by the Chair or Moderator of this session. Questions and comments placed in chat will be considered as part of the “chat” and will not be read out loud on the microphone.This session also includes automated real time transcription. By clicking on the “closed caption” button in the Zoom toolbar you can view the real time transcription. This transcript is not official or authoritative.Please note that chat sessions are being archived and follow the ICANN Expected Standards of Behavior. http://www.icann.org/en/news/in-focus/accountability/expected-standards.

I don't see Steve's slides on the website.

@Glenn they are here: https://70.schedule.icann.org/meetings/EFynAdkZzbmxA2M5Y#/?limit=10&sortByFields[0]=isPinned&sortByFields[1]=lastActivityAt&sortByOrders[0]=-1&sortByOrders[1]=-1&uid=E6umHFHPvcfTAnSNE

Reminder: During this session, questions or comments will only be read aloud if submitted within the Q&A pod. I will read them aloud during the time set by the Chair or Moderator of this session. If you would like to ask your question or make your comment verbally, please raise your hand. When called upon, you will be given permission to unmute your microphone. Kindly unmute your microphone at this time to speak.

Not directly relevant to the current ppt but are there any plans for ICANN/IANA to support the use of CDS/CDNSKEY polling to enable automated rollovers at the TLD level, making it easier for KSK rolls and also for registry transitions between RSPs.

Hi alln, sorry for the delay, the coffee break lasted...

@Brett: I don’t think ICANN/IANA has a role here, but perhaps I misunderstand your question.

Steve, us lowly attendees cannot see whatever it is that Brett said that you responded to.

Brett wrote: Not directly relevant to the current ppt but are there any plans for ICANN/IANA to support the use of CDS/CDNSKEY polling to enable automated rollovers at the TLD level, making it easier for KSK rolls and also for registry transitions between RSPs.

thanks Steve

@steve I’m trying to imagine a way that I can do dnskey rolls or GTLD transitions (from another provider) to Nominet and do this without the multiple interactions we do with the RZM manually. EG by placing a CDS record in the TLD that IANA can poll for then insert the new DS into the root (or remove of course)

@steve we have done a lot of GTLD transitions and the multiple interactions needed with the RZM are a PITA

Brett, can you repeat for the attendees too?

I’m trying to imagine a way that I can do dnskey rolls or GTLD transitions (from another provider) to Nominet and do this without the multiple interactions we do with the RZM manually. EG by placing a CDS record in the TLD that IANA can poll for then insert the new DS into the root (or remove of course)

Yes, TLD operator could in theory publish CDNSKEY and IANA could poll for it and update root zone the same way as some TLDs automate DNSSEC towards SLDs. To me it is relevant question. AFAIK, they prefer solution by creating some API for automation instead of this.

Yes an API would also work but it seems to be IANA and the TLDs should be doing it the same way as everyone else, if you see what I mean.

I think I understand now. IANA has its own interface for TLD operators to update records in the root. I don’t know whether they plan to change their interface or support polling for DNS/CDNSKEY records. I recommend asking Kim Davies directly.

Thanks Steve, sorry if i phrased the question in a confusing manner. I’ll speak to Kim :)

REMINDER: During this session, questions or comments will only be read aloud if submitted within the Q&A pod. I will read them aloud during the time set by the Chair or Moderator of this session. If you would like to ask your question or make your comment verbally, please raise your hand. When called upon, you will be given permission to unmute your microphone. Kindly unmute your microphone at this time to speak.

I think I was completely focused on the next level down and just missed what you were asking. My apologies

That's pretty awesome, coming from a tech guy.

TLDs tend to change their DS RRSets very infrequently, and there is usually a good deal of planning involved. I'm not convinced that CDS/CDNSKEY in TLD zones would be solving a problem that really exists, but perhaps there are use-cases I am unfamiliar with

CSYNC support has been merged into PowerDNS and is available from our snapshot builds. It will indeed be part of the next release (4.5).

for contracted parties, publishing CDS/CDNSKEY might technically be contrary to the registry agreement so there might be some policy work to do there ("might" because I am definitely not a lawyer :-)

publishing CDS/CDNSKEY in the TLD zone itself, I mean, not digesting it from child zones

Excellent Peter!

thanks :)

REMINDER: During this session, questions or comments will only be read aloud if submitted within the Q&A pod. I will read them aloud during the time set by the Chair or Moderator of this session. If you would like to ask your question or make your comment verbally, please raise your hand. When called upon, you will be given permission to unmute your microphone. Kindly unmute your microphone at this time to speak.

Do we know what the current DNSSEC adoption rate is by ICANN region and how that growth rate is expected to behave like?

Can we post links of the projects that Eric and team are working on? I'd like to follow up.

I can answer

When a child publishes a CDS/CDNSKEY, how do we know who's responsible to poll? the registrar? the registry? a DNS operator? or it does not matter if the CDS is properly signed...

https://github.com/DNSSEC-Provisioning

@Jacques, my view is the registry determines who does the work. That is, some registries will do it, but in other cases, the registry will not do it and then must make it clear to the registrars that it’s up to them.

DNSSEC Tools Stats - https://stats.dnssec-tools.org/

dnsthough.n;netlabs.nl has some other stats as well

O meant: https://dnsthought.nlnetlabs.nl

It looks at what resolvers do

This the link I was talking abouthttp://secspider.net/islands.html

This the link I was talking abouthttp://secspider.net/islands.html

The regions with the most DNSSEC adoption are Northern and Central Europe, USA and Brazil.

How widely are DPS statements published by TLDs? Does ICANN have any policy on this w.r.t. contracted parties?

Any tracking of CCTLDs?

How widely are DPS statements published by TLDs? Does ICANN have any policy on this w.r.t. contracted parties?

Any tracking of CCTLDs?

What does “tracking of ccTLDs” mean?

mailing list: dnssec-provisioning@shinkuro.com

https://github.com/DNSSEC-Provisioning

I will be happy to add anyone who’s interested. Send email to me at steve@shinkuro.com

Thank you for joining us for the DNSSEC and Security Workshop Part 2. Part 3 will begin at 17:30 UTC and will be in this same Webinar Room therefore there is no need to disconnect. Enjoy your break 