internet2 dnssec pilot
DESCRIPTION
Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006. Description of the Pilot. Goal: Deploy DNSSEC and gain operational experience Participants sign at least one of their zones - PowerPoint PPT PresentationTRANSCRIPT
Internet2 DNSSEC Pilot
Shumon Huque
University of Pennsylvania
ESCC/Internet2 Joint Techs Workshop
Madison, Wisconsin, U.S.A., July 19th 2006
2 Shumon Huque
Description of the Pilot
• Goal: Deploy DNSSEC and gain operational experience
• Participants sign at least one of their zones• Exchange keys (trust anchors) that will allow
them to mutually validate DNS data• Setup security-aware resolvers• configured with the trust anchors
3 Shumon Huque
A little background ..
• Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs
• Mar ‘06: dnssec@internet2 mailing list• Apr ‘06: Internet2 Spring Member meeting• Advisory group formed and plans for a pilot project
formulated
• May ‘06: Pilot group began• Bi-weekly conference calls and progress reports
4 Shumon Huque
Co-ordination
• Internet2 and Shinkuro
• Partner in DNSSEC Deployment Initiative• http://www.dnssec-deployment.org/
• Some funding from US government
5 Shumon Huque
DNSSEC Deployment Efforts so far
• MAGPI GigaPoP• All zones: magpi.{net,org} & 15 reverse zones• https://rosetta.upenn.edu/magpi/dnssec.html
• MERIT• radb.net• nanog.org
• NYSERNet - test zone• nyserlab.org
6 Shumon Huque
Deployments in the pipeline ..
• University of Pennsylvania
• University of California - Berkeley
• University of California - Los Angeles
• University of Massachusetts - Amherst
• Internet2
7 Shumon Huque
Ongoing work & discussion
• To DLV or not? (and if so, which registry?)
• “DNSSEC Lookaside Validation”
• Deploy NSEC3 or not?
• Stub resolver security
• Key maintenance & rollover policies
• Secure delegations from parents• .edu, .net, .org, .in-addr.arpa
8 Shumon Huque
More participants welcome!
• (participation not restricted to Internet2)
• Join mailing list
• Participate in con calls
• DNSSEC BoF @ lunchtime today
9 Shumon Huque
References
• Internet2 DNSSEC Pilot• http://www.dnssec-deployment.org/internet2/• http://rosetta.upenn.edu/magpi/dnssec.html
• Mailing list: [email protected]• https://mail.internet2.edu/wws/info/dnssec
• Internet2 DNSSEC Workshop• http://events.internet2.edu/2006/jt-albuquerque/
sessionDetails.cfm?session=2491&event=243
10 Shumon Huque
References (2)
• DNSSEC(bis) technical specs:• RFC 4033, 4034, 4035
• Related:• Threat analysis of the DNS: RFC 3833• Operational practices
• draft-ietf-dnsop-dnssec-operational-practices-08
• NSEC3: draft-ietf-dnsext-nsec3-05• DLV: draft-weiler-dnssec-dlv-01• ISC DLV registry:
• http://www.isc.org/index.pl?/ops/dlv/
11 Shumon Huque
Questions?
• Shumon Huque• shuque -at- isc.upenn.edu