1Internet2 Joint Techs DNSSEC BOF July 19, 2006

1

DNSSEC BOF

Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop

Madison, WIJuly 19, 2006

2Internet2 Joint Techs DNSSEC BOF July 19, 2006

2

DNSSEC linksDNSSEC QuickstartInternet2 trial next stepsDLV registry

Overview

3Internet2 Joint Techs DNSSEC BOF July 19, 2006

3

www.dnssec.net

www.dnssec-deployment.org

www.dnssec-tools.org

www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt

www.merit.edu/nrd/resources/dnssec_howto.pdf

DNSSEC Links

4Internet2 Joint Techs DNSSEC BOF July 19, 2006

4

DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!)

Add “dnssec-enable yes;” to options section of named.conf

dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number

dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number

Add following lines to zonefile (named db.foo.edu)“$include Kfoo.edu.+005+xxxxx.key”

“$include Kfoo.edu.+005+yyyyy.key”

Generate db.foo.edu.signed file from input db.foo.edu zonefile

(signatures will have a lifetime of 90 days (7776000 seconds))

dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \

-e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key

5Internet2 Joint Techs DNSSEC BOF July 19, 2006

5

Recruiting new participantsDLV registry deployment

Deploy our own or use existing?

Lobby ARIN to sign in-addr.arpa delegationsOctober ARIN meeting in St. Louis

Internet2 trial next steps

6Internet2 Joint Techs DNSSEC BOF July 19, 2006

6

DLV – DNSSEC Lookaside Validation

Defined in RFC 4431Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chainSeveral trials available

www.isc.org/ops/dlvwww.dlv.verisignlabs.comwww.iks-jena.de/leistungen/dnssec.php

Should we create one for Internet2 DNSSEC trial?

Policies for registration?