CURRENT_MEETING_REPORT_ Reported by James Galvin/TIS Minutes of the DNS Security Working Group (DNSSEC) The DNS Security Working Group met on Wednesday, December 7, at the San Jose IETF. The Ohta-san and Eastlake/Kaufman Proposals The meeting began with a review of the differences between the Ohta-san and Eastlake/Kaufman proposals. It was noted that this version of both documents have many similarities, with most differences in the underlying details. The gross level differences identified were as follows. o The Ohta-san proposal does not include an explicit discussion of key management or distribution while Eastlake/Kaufman does. o The Ohta-san proposal does not include a revocation mechanism while Eastlake/Kaufman does. o The Ohta-san proposal specifies the creation of eight new resource records for each algorithm supported while Eastlake/Kaufman specifies two new resource records --- a key RR and a signature RR --- each with an embedded algorithm identifier. With respect to the first two differences, it was pointed out that the Ohta-san proposal could be augmented to include the necessary discussion. There was detailed discussion of the operational implications of the last difference. The issues raised included: o Having separate resource records for each algorithm allows servers/clients to easily request exactly those signature and keys records they need. o Having a single resource record with an embedded algorithm identifier allows clients/servers to know immediately if a zone is secure without having to query for all possible algorithms. At the completion of the discussion the chair called for a consensus from the working group as to which proposal represented the best direction for the working group at this time. The working group chose the Eastlake/Kaufman proposal. Discussion of Technical Issues The remainder of the time was devoted to a discussion of three technical issues. o Revocation o Choice of algorithm o Signing of non-authoritative data On the topic of revocation, the working group concluded that this mechanism was not needed by secure DNS. Instead, the document should indicate that the expiration time of the signature should be a small multiple of the original TTL for the resource record, thus requiring that the data be re-signed on a regular schedule. The principal motivation for this was that the working group believed that any revocation mechanism conflicted with the TTL mechanism of the DNS insofar as it was attempting to clear caches of invalid data. Further, the mechanism proposed specified that revocation records be distributed on a space available basis, so there was no guarantee that in fact it would be available for processing. On the topic of algorithm choices, a brief comparison of Diffie-Hellman/ElGamal and RSA was presented. It was noted that with respect to signature verification RSA outperformed Diffie-Hellman/ElGamal by several orders of magnitude. In addition, the size of an RSA signature was at most half the size of a comparable Diffie-Hellman/ElGamal signature. There was brief mention of the problems of export and use of cryptography internationally but no conclusion was reached. The working group agreed that no change in the choice of RSA was appropriate at this time. With respect to the signing of non-authoritative data, in particular zone delegation information, Ohta-san's proposal explicitly pointed out that it was not necessary to do this as long as the key of the child zone was signed by the parent's key. The discussion noted that with Eastlake/Kaufman, if the data was signed, there would be three signature records in addition to the KEY, NS, and A records that were returned, which would have an unfavorably high probability of exceeding the payload maximum for a UDP packet. Eastlake/Kaufman agreed to revise their proposal to recommend that servers allow for the NS and A record signature records to not be included if they do not fit, since they are not required.