dnssec bof
DESCRIPTION
Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006. DNSSEC BOF. Overview. DNSSEC links DNSSEC Quickstart Internet2 trial next steps DLV registry. DNSSEC Links. www.dnssec.net www.dnssec-deployment.org www.dnssec-tools.org - PowerPoint PPT PresentationTRANSCRIPT
1Internet2 Joint Techs DNSSEC BOF July 19, 2006
1
DNSSEC BOF
Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop
Madison, WIJuly 19, 2006
2Internet2 Joint Techs DNSSEC BOF July 19, 2006
2
DNSSEC linksDNSSEC QuickstartInternet2 trial next stepsDLV registry
Overview
3Internet2 Joint Techs DNSSEC BOF July 19, 2006
3
www.dnssec.net
www.dnssec-deployment.org
www.dnssec-tools.org
www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt
www.merit.edu/nrd/resources/dnssec_howto.pdf
DNSSEC Links
4Internet2 Joint Techs DNSSEC BOF July 19, 2006
4
DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!)
Add “dnssec-enable yes;” to options section of named.conf
dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number
dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number
Add following lines to zonefile (named db.foo.edu)“$include Kfoo.edu.+005+xxxxx.key”
“$include Kfoo.edu.+005+yyyyy.key”
Generate db.foo.edu.signed file from input db.foo.edu zonefile
(signatures will have a lifetime of 90 days (7776000 seconds))
dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \
-e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key
5Internet2 Joint Techs DNSSEC BOF July 19, 2006
5
Recruiting new participantsDLV registry deployment
Deploy our own or use existing?
Lobby ARIN to sign in-addr.arpa delegationsOctober ARIN meeting in St. Louis
Internet2 trial next steps
6Internet2 Joint Techs DNSSEC BOF July 19, 2006
6
DLV – DNSSEC Lookaside Validation
Defined in RFC 4431Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chainSeveral trials available
www.isc.org/ops/dlvwww.dlv.verisignlabs.comwww.iks-jena.de/leistungen/dnssec.php
Should we create one for Internet2 DNSSEC trial?
Policies for registration?