Upload
laura-berry
View
214
Download
1
Embed Size (px)
Citation preview
1Internet2 Joint Techs DNSSEC BOF July 19, 2006
1
DNSSEC BOF
Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop
Madison, WIJuly 19, 2006
2Internet2 Joint Techs DNSSEC BOF July 19, 2006
2
DNSSEC linksDNSSEC QuickstartInternet2 trial next stepsDLV registry
Overview
3Internet2 Joint Techs DNSSEC BOF July 19, 2006
3
www.dnssec.net
www.dnssec-deployment.org
www.dnssec-tools.org
www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt
www.merit.edu/nrd/resources/dnssec_howto.pdf
DNSSEC Links
4Internet2 Joint Techs DNSSEC BOF July 19, 2006
4
DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!)
Add “dnssec-enable yes;” to options section of named.conf
dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number
dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edureturns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number
Add following lines to zonefile (named db.foo.edu)“$include Kfoo.edu.+005+xxxxx.key”
“$include Kfoo.edu.+005+yyyyy.key”
Generate db.foo.edu.signed file from input db.foo.edu zonefile
(signatures will have a lifetime of 90 days (7776000 seconds))
dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \
-e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key
5Internet2 Joint Techs DNSSEC BOF July 19, 2006
5
Recruiting new participantsDLV registry deployment
Deploy our own or use existing?
Lobby ARIN to sign in-addr.arpa delegationsOctober ARIN meeting in St. Louis
Internet2 trial next steps
6Internet2 Joint Techs DNSSEC BOF July 19, 2006
6
DLV – DNSSEC Lookaside Validation
Defined in RFC 4431Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chainSeveral trials available
www.isc.org/ops/dlvwww.dlv.verisignlabs.comwww.iks-jena.de/leistungen/dnssec.php
Should we create one for Internet2 DNSSEC trial?
Policies for registration?