DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris invents the DNS and implements the ﬁrst server: Jeeves. 1986 Formal IETF Internet

DNSSEC and Internet Development

Patrik Wallström, FoU .SE

Wednesday, March 9, 2011

Om .SE

DomainAdministration

InternetDevelopment

Financing

User Benefit


Urkunden“Stiftelsen skall ha till ändamål att främja en god stabilitet i infrastrukturen för Internet i Sverige samt främja forskning, utbildning och undervisning inom data- och telekommunikation, särskilt med inriktning på Internet. Stiftelsen skall härvid prioritera områden som ökar effektiviteten i infrastrukturen för elektronisk datakommunikation, varvid stiftelsen bland annat skall sprida information om forsknings- och utvecklingsarbete, initiera och genomföra forsknings- och utvecklingsprojekt samt genomföra kvalificerade utredningar. Stiftelsen skall särskilt främja utvecklingen av hanteringen av domännamn under toppdomänen ”se.” och andra nationella domäner avseende Sverige.”


Allt möjligt!


About me!


Work at .SE• Systems development

• Wb• Automation, Regelverk 3.0• IDN, Swedish characters, jiddisch• Niceasy-projec5

• DNSSEC• Standardization• Implementation• Prototype web management interface

• OpenDNSSEC• Architecture

• Healthcheck• Measure the whole Internet!


DNS attack tree

Privacy

Cache Snooping

NSEC walk

Denial of Service

DNS Servers

System/Application crash

Specially crafted packet

Resource starvation

DoS attack

Distributed DoS attack

Network infrastructure

Core infrastructure Server-edge infrastructure

Client-edge infrastructure

Data integrity

Repository corruption

Outdated information (D)DoS on hidden master

Modified information

Master compromised

Secondary compromised

Social engineering

Domain hihackingSocial engineering

System corruption

Resolver compromised

Host breakin

Client compromised

Malware

Protol Issues

Cache poisoning

Open recursion Too liberal with additional info

Query prediction

Fixed port numbers

Weak ID algorithm

Man-in-the-middle Non-secure network path


DNS-history1983 Paul Mockapetris invents the DNS and implements the first server: Jeeves.

1986 Formal IETF Internet Standard. Two RFC's describe DNS: 1034 and 1035.

1988 DNS begins to catch on the Internet.

1990 Steven Bellovin discovers a major flaw in the DNS. As DNS is already widely deployed on the Internet, the report is kept secret until 1995. In those years research is started on a more secure replacement of DNS.1995 The article from Bellovin is published and DNSSEC (as it became known) becomes a topic within the IETF.1997 RFC2065, a predecessor of 2535, is published.

1999 RFC2535 is published by the IETF. The DNSSEC protocol looks to be finally finished. BIND9 is developed to be the first DNSSEC capable implementation.1999-2001 Although the RFC is finished and BIND is DNSSEC ready, deployment is stalling.


DNS-history contd2001 Experiments show 3 that the key handling in RFC2535 is causing operational problems that would make deployment difficult if not impossible.After various ideas and drafts (sig@parent) a new record was proposed: the DS RR, Delegation Signer resource record. With this record the operational problems of DNSSEC would be solved. Because this record has the special property of only existing at the parent zone it introduced some difficulties in the DNS protocol it self. Deployment of DNSSEC looks possible now, but the current code (ie. BIND9) does not understand the new DS record.It is decided to rewrite 2535 into three new drafts:draft-ietf-dnsext-dnssec-intro - a introduction into DNSSECdraft-ietf-dnsext-dnssec-records - introduces the new recordsdraft-ietf-dnsext-dnssec-protocol - details the protocol changes2002-2003 The drafts are getting more refined and better, BIND9 snapshots start appearing that are capable of handling the new DNSSEC standard (2535bis).NLnet Labs decided to run a new experiment called SECREG (secure registry) to test 2535bis. The results of this experiment are documented in 4. In short the experiment showed that 2535bis is ready for deployment.


DNS-history contd2004 The expectation is that the drafts are to be finished this year and that even the RFC could be published before 2005. Currently BIND9.3 and higher NSD2 and higher are capable of handling 2535bis DNSSEC.2005 The three new drafts are on there way to the RFC editor. This means the new standard is almost official. Now we only have to wait for DNSSECbis to become the new standard.2005 - MarchThe RFC's are published:RFC 4033DNS Security Introduction and RequirementsRFC 4034Resource Records for the DNS Security ExtensionsRFC 4035Protocol Modifications for the DNS Security Extensions

2005 - September.SE is the first TLD to be signed.


http://www.rfc-archive.org/getrfc.php?rfc=4033












.SE and DNSSEC

2006

Feb 16, 2007

Standards development

AutomationMarket

Sept. 2007Softstart

of service

Project start 2001

Signed.SE-zoneSep 2005

Commercial launchof .SE-DNSSEC

RFC4033, 4034, 4035March 2005

VerktygSpridning


What is DNSSEC?root

.se .dk .org

iis.sesunet.se dn.se foo.se

. DNSKEY

. RRSIG DNSKEYse. DS

se. DNSKEYse. RRSIG DNSKEYsunet.se. DS

sunet.se. DNSKEYsunet.se. RRSIG DNSKEYwww.sunet.se. A 127.0.0.1www.sunet.se RRSIG A ...


http://www.sunet.se

http://www.sunet.se

http://www.sunet.se

http://www.sunet.se

New record types• DNSKEY

• KSK / ZSK• DS• RRSIG• NSEC / NSEC3• NSEC3PARAM


And some algorithms

Algorithm Field Algorithm Source

0 Reserved1 RSA/MD5 RFC40343 DSA/SHA-1

RFC4034

5 RSA/SHA-17 RSASHA1-NSEC3-SHA1 RFC51558 RSA/SHA-256 RFC5702

10 RSA/SHA-512RFC5702

12 GOST R 34.10-2001 RFC5933


http://en.wikipedia.org/wiki/GOST

http://en.wikipedia.org/wiki/GOST

DNSKEY

iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF

KSK

ZSK


DNSKEY

iis.se. IN DNSKEY 257 3 5 wEAAcq5uqe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs LNVHF61lcxe504jhPmjeQ656X6tdHpRz1DdPOukcIITjIRoJHqSXXyL6gUluZoDUK6vpxkGJx5m5n4boRTKCTUAR9rw2+IQRRTtb6nBwsC3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMwQ4H9iKE9FhqPeIpzU9dnXGtJZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=iis.se. IN DNSKEY 256 3 5 AwEAAdancK9+0Il/tuXCBylBiUpNq4RGzDE2uQ6+nb6Un0myCJFzaN3 bzSMjAU5xlt6vnAfFZkRNKANu06j2zYjRbQucYfLEq69GIKOBnSHA46H 7uUDqM32KEL+KflIlQvFpXW2/r835mP9+dtlsa860Kf1n2ye/77I9QtC gBeZ5okF

KSK

ZSK

iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 18937 iis.se. DiNYYelgXcgIi6+xevjgqSy/ilcWmu52LkcKk9AwoWbcBrf1Zag8gowv 8S0LWJjKUO2aYRy53VvU/nkI20AJBuec/PYtEw7pK8Z3fMFspQZeqR8Z kTQv6+l5w1n1UUKIzRNtFG5FEH5zSdb5sOL8YEyIUVScuHewmtkwoN+M dWkoB5IEb3IuT57LgiQPxMogFRH9xoR/DrP299pvBQ78dgmbCwHxQCVG orGY1XHbvfwndsqrnFmBxrxu6DwZitXSCVHWgsiMMVE/rhKpdlCwl3uZ WJ4vipACelaqjdqpZG2sLbfKpeK44WeMTiaSgypDQVnXdDaP0g7mMk3o 0xGLXQ==iis.se. IN RRSIG DNSKEY 5 2 3600 20090205084501 20090126084501 27345 iis.se. DLAB4SbzYw9YEs3rj0vE3eXmA6J3HiFIi0jgO3wVtnwnCzn9J5iSuTUn b1iUjsk4TpwuF6tf4udo9L1lAQPGyw+qLzEKdfQ+G02n1rvcSBDU8pPT MsgyCz6DV+TJ/oGkCVi4grUycj4q5rtCRToL4Icdx+F91moY0yW2LO6T qMw=

RRSIG

RRSIG


RRSIG

g.ns.se. 172682 IN A 130.239.5.114g.ns.se. 172682 IN AAAA 2001:6b0:e:3::1g.ns.se. 172682 IN RRSIG A 5 3 172800 20100311000326 ( 20100304101819 40935 se. IbCqCAa63j6uf0o52b4JDCvkl/VHlXJCcbwpfxiizySY qBXkHSHJw/vDn9he8EApSzJehfXQoUa2oySukuCHssdv IayAonD1LG1RP1SQnxTe3iwWPcNQjMIofBn0cY2/FlVR W4H5WIeS2DwZpLRr7IAM51OZRGIg8aUnzfrnML8= )g.ns.se. 172682 IN RRSIG AAAA 5 3 172800 20100310041411 ( 20100304101819 40935 se. Qo4JViec7dgJY1+LcpYqVoJA65Gxf9xRyCGlkZW2Xf3n +tO6/6jsdK+OWF9tWrtJH0xlRdeiiEu2FJU4iV+EBtZN 1zEiy7Gyehe6UA+oAZ4s3CRfYrD+QKoZ4D6uoIucAN5g 3H96l+Ad++tEniQtuqCzbgFVSzsBl+hMUaMEJrg= )


Delegation Signer

iis.se:iis.se. IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=

KSK

DS.se:iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A


Delegation Signer

iis.se:iis.se. IN DNSKEY 257 3 5 AwEAAcq5u+qe5VibnyvSnGU20panweAk2QxflGVuVQhzQABQV4SIdAQs +LNVHF61lcxe504jhPmjeQ656X6t+dHpRz1DdPO/ukcIITjIRoJHqS+X XyL6gUluZoDU+K6vpxkGJx5m5n4boRTKCTUAR/9rw2+IQRRTtb6nBwsC 3pmf9IlJQjQMb1cQTb0UO7fYgXDZIYVul2LwGpKRrMJ6Ul1nepkSxTMw Q4H9iKE9FhqPeIpzU9dnXGtJ+ZCx9tWSZ9VsSLWBJtUwoE6ZfIoF1ioq qxfGl9JV1/6GkDxo3pMN2edhkp8aqoo/R+mrJYi0vE8jbXvhZ12151Dy wuSxbGjAlxk=

KSK

DS.se:iis.se. IN DS 18937 5 2 B5C422428DEA4137FBF15E1049A48D27FA5EADE64D2EC9F3B58A994A6ABDE543iis.se. IN DS 18937 5 1 10DD1EFDC7841ABFDF630C8BB37153724D70830A

Om du har fler KSK-nycklar, så får du fler DS i förälderzonen.


Zonefile without DNSSEC

@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012701 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. MX 10 cleaner.prod.iis.se.$ORIGIN iis.se.www IN A 212.247.7.210


A signed zone


A signed zone@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= )


A signed zone@ IN SOA ns.nic.se. hostmaster.iis.se. ( 2009012501 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) RRSIG SOA 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. BGZ3AMUQ3GL3yowBrrLhV9Sa8s47nmXm2ci6ZjC4kCickw5Wo1d+zSPpV9SL4hVF0XwYOtP fNAcGh7BaasK/jhDLMBzoI4O5ZujV0erUj/U2or27WEinUu+q5zeLiPrPy4pG654dZ+0y9aT 7NwvCkxliKoaVlweyU4UafyxA8U= ) NS ns.nic.se. NS ns2.nic.se. NS ns3.nic.se. RRSIG NS 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. sPbCYM62YiB0ciIBev+As97d/oTXVy/97EV6JITcod4xUWMjAIcuAyoFdYpGTEddAfe8xK+w D1nwSJLAleA7uefzOOClCxS/pIJq8Hbh92nZ0VN30wTEHk8mb97ivWrRxAqUQaeINSOei5Zh /J8ymfL9X639SvO2y5jHiXeZ0JM= ) MX 10 cleaner.prod.iis.se. RRSIG MX 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. L+EZ/NDc5/PTDx6PLOkAUJOUdbd50bYAqNpA/WQq3s8l6g5she6A5IpgtR7BQ4zF2XtnDX0G vE7Zxqi6iWE/Pyd1iVxChi7NmgzK7siazfYl R7fFE+ZPSAfIHjAafD5scmk2OOIMaZzvhkk8 nYzqbCCC0gVgurXsx8nycOUZbTM= ) DNSKEY 257 3 5 ( BQEAAAABuM9XroBb7Qrrz3winhL2vgNOEKDqTwiajUt/lYn9Z6GlPjd2hAsubgm+tXGKs2qo kdfsvCOVljiyRA885uI2o2S5ELLFlCw4LiJbedAAuJXNDvwwB8Xf8tYwxxh82fZ9JqwqD+n6 E31w/aL0UlGuIh7PWE/lMj+O8iMv3croHScHkfVxtz9aF2fRI2QwXCjcrvS5i06Ss14Af2bB BUrX0y8cXKI9AulrWZIniWLIce6b88yzxPuqJaNjOg8LFC1tMsSm6aeEKErQgJaeMJheRo4P WFitdMB9FpCH/6ylVEbZJpm/hKOZp2uedh8AmxmSDhUM7bMngQmXD/qpgrApqQ== ) ; key id = 27840 RRSIG DNSKEY 5 2 3600 20090131030501 ( 20090125030501 53069 iis.se. Kco8fH1BINR2xVe4kTtFBbjKtLe0BFvhP9iZWxgR9DCqKVK5VzxnTcLAJGF8xjwq0W8IUZws GSgWyOsx7bzrfoMNlkutYP14nTJio5zjX4heSx2C4Dx33egg0IlM/iur52O7KWEF7AC7l+ra RP3GGTCu7Ls0kGc2GDGNxothr8A= ) NSEC www.iis.se. A NS SOA MX TXT AAAA RRSIG NSEC DNSKEY RRSIG NSEC 5 2 86400 20090131030501 ( 20090125030501 53069 iis.se. KOFHUf1ZB+e/AxGdMkTkq9W461AjFjxLHBrMRt5ULZ4+lfMsYHw5VSecMq61VabhXO5ziOCj B1vK4BYrUeC+xAMFWJzn6xsLMDj/MMjM5d2iZhjE1zPc2sX42M6er1fjF9rw3qjWCFTLdy8Z CTsiw0Ou7ESX6afYwkb7QkTdL9g= )

KSK

RRSIG

RRSIG

RRSIG

RRSIG

NSEC

RRSIG


Zone distribution

a.ns.se b.ns.se c.ns.se d.ns.se e.ns.se f.ns.se g.ns.se h.ns.se i.ns.se j.ns.se

Philby Burgess

.SE

Custo

mer

Datab

ase

Zone file

generator

KSKZSK

Key

generator

Zone signer


.SEs DNSSEC-signer.SE

Customer Database

Zone file generator

name servers

distribution pointdistribution point

Smartcard

Zone signer

HSM


User interfaces


Or even simpler

exempel.se DNSSEC


Value chain

root

.se .dk .org

iis.sesunet.se dn.se foo.se

Registrarer

DNSResolver

I.e. ISPs

Applications Internetusers


Support in applicationsNyckelmaterial i DNS!

DKIM

SSHFP

IPSEC

DANE - SSL/TLS i DNS


Incidents

“BIND-buggen”, 21 sept 2007

Felaktig zonfil, 12 okt 2009


DNSCheck


OpenDNSSEC

!"#$"

!"#$" John A Dickinson

25


What is OpenDNSSEC• Simplifies the process of signing one or more zones• Minimize the load of key management for the systems

administrator• Open source software with BSD-license• Simple to integrate in current infrastructure• Key storage and hardware accelerated crypto with PKCS#11


OpenDNSSEC Overview


• SoftHSM is a software implementation of a keystore with PKCS#11.

• Can be used to test the PKCS#11 interface without a real HSM.

• SoftHSM is development as a component within the OpenDNSSEC project.

• Uses Botan and SQLite.• SoftHSM makes it possible to use OpenDNSSEC with

software only.



The goal of the IETF is to make the Internet work better.

The mission of the IETF is to produce high quality, relevant technical and engineering documents that influence the way people design, use, and manage the Internet in such a way as to make the Internet work better. These documents include protocol standards, best current practices, and informational documents of various kinds.

- RFC 3935


Open process - any interested person can participate in the work, know what is being decided, and make his or her voice heard on the issue. Part of this principle is our commitment to making our documents, our WG mailing lists, our attendance lists, and our meeting minutes publicly available on the Internet.


Technical competence - the issues on which the IETF produces its documents are issues where the IETF has the competence needed to speak to them, and that the IETF is willing to listen to technically competent input from any source. Technical competence also means that we expect IETF output to be designed to sound network engineering principles - this is also often referred to as "engineering quality".


Volunteer Core - our participants and our leadership are people who come to the IETF because they want to do work that furthers the IETF's mission of "making the Internet work better".


Rough consensus and running code - We make standards based on the combined engineering judgement of our participants and our real- world experience in implementing and deploying our specifications.


Protocol ownership - when the IETF takes ownership of a protocol or function, it accepts the responsibility for all aspects of the protocol, even though some aspects may rarely or never be seen on the Internet. Conversely, when the IETF is not responsible for a protocol or function, it does not attempt to exert control over it, even though it may at times touch or affect the Internet.


Its mission includes the following:

o Identifying, and proposing solutions to, pressing operational and technical problems in the Internet

o Specifying the development or usage of protocols and the near-term architecture to solve such technical problems for the Internet

o Making recommendations to the Internet Engineering Steering Group (IESG) regarding the standardization of protocols and protocol usage in the Internet

o Facilitating technology transfer from the Internet Research Task Force (IRTF) to the wider Internet community

o Providing a forum for the exchange of information within the Internet community between vendors, users, researchers, agency contractors, and network managers


Note Well


DokumentI-D - Internet-Draft - arbetsdokument

RFC - Request for CommentsAll RFCs in a standards-track or Best Current Practice (BCP) category, as well as some Informational and Experimental RFCs, originate within the IETF process and reach the RFC Editor through the IESG. Members of the IESG include the IETF Area Directors (ADs), who are responsible for sets of related working groups. These working groups develop documents that may be approved for publication as RFCs by the ADs with IESG concurrence.

Independent Submissions

Anyone can write an Internet-Draft and independently submit it to the RFC Editor for possible publication as an RFC (Informational or Experimental category only). It will be published after review, and perhaps revision, for technical competence, relevance, and adequate writing. It will also be reviewed by the RFC Editor and by the IESG for possible conflict with the IETF process. Once this has been completed successfully, independent submissions enter the same publication process as IETF submissions.

STD - Internet Standard


DokumentstatusExperimental

Informational

Standards Track - Proposed Standard - Draft Standard - Standard

Best Current Practice

Historic

Unknown


Flöde...


Drafts


Area Description ----------------------------------------------------------------- Applications (APP) Protocols seen by user programs, such as email and the web

General (GEN) Catch-all for WGs that don't fit in other areas (which is very few)

Internet (INT) Different ways of moving IP packets and DNS information

Operations and Operational aspects, network monitoring, Management (OPS) and configuration

Real-time Delay-sensitive interpersonal Applications and communications Infrastructure (RAI)

Routing (RTG) Getting packets to their destinations

Security (SEC) Authentication and privacy

Transport (TSV) Special services for special packets


dnsext



Starta en arbetsgrupp!Föreslå - föreslå en idé, förslagsvis på en area-lista.

Etablera - en mailinglista för diskussion om idén. Det är enkelt att ansöka om lista hos IETF, och där är bra att köra den eftersom det är samma IPR-policies hos alla de listorna.

Övertyga - en Area Director måste övertygas om att det är en bra idé, och ett intressant område för en arbetsgrupp att arbeta med.

Charter - Namn och akronym, vilka personer som ska vara chairs, mailinglista, syfte - vad ska produceras och varför. Mål och milstenar - när ska arbetsgruppen producera vad som förväntas. Redaktörer för dokumenten.

Skicka till AD

Mangla genom IESG


IETF i Stockholm

The IETF meeting is not a conference, although there are technical presentations. The IETF is not a traditional standards organization, although many specifications are produced that become standards. The IETF is made up of volunteers, many of whom meet three times a year to fulfill the IETF mission.


IETF i Stockholm




Dress Code

Since attendees must wear their name tags, they must also wear shirts or blouses. Pants or skirts are also highly recommended. Seriously though, many newcomers are often embarrassed when they show up Monday morning in suits, to discover that everybody else is wearing T- shirts, jeans (shorts, if weather permits) and sandals. There are those in the IETF who refuse to wear anything other than suits. Fortunately, they are well known (for other reasons) so they are forgiven this particular idiosyncrasy. The general rule is "dress for the weather" (unless you plan to work so hard that you won't go outside, in which case, "dress for comfort" is the rule!).


Seeing Spots Before Your Eyes

Some of the people at the IETF will have a little colored dot on their name tag. A few people have more than one. These dots identify people who are silly enough to volunteer to do a lot of extra work. The colors have the meanings shown here.

Color Meaning -------------------------------------- Blue Working Group/BOF chair Green Host group Red IAB member Yellow IESG member Orange Nominating Committee member

(Members of the press wear orange-tinted badges.)

It is important that newcomers to the IETF not be afraid to strike up conversations with people who wear these dots. If the IAB and IESG members and Working Group and BOF chairs didn't want to talk to anybody, they wouldn't be wearing the dots in the first place.


In many ways, the IETF runs on the beliefs of its members. One of the "founding beliefs" is embodied in an early quote about the IETF from David Clark: "We reject kings, presidents and voting. We believe in rough consensus and running code". Another early quote that has become a commonly-held belief in the IETF comes from Jon Postel: "Be conservative in what you send and liberal in what you accept".


IPv4 är slut!2011-02-03IANA delar ut de femsista /8!


Text

Masters thesis!Earlier: - DKIM+DNSSEC - Internet of Things, RFID+DNS - Analysis of data from Bredbandskollen


Thank you!

[email protected]


mailto:[email protected]

mailto:[email protected]

Documents

DNSSEC and Internet Development - Uppsala University€¦ · DNS-history 1983 Paul Mockapetris invents the DNS and implements the ﬁrst server: Jeeves. 1986 Formal IETF Internet