1 / 6

DNSSEC BOF

Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006. DNSSEC BOF. Overview. DNSSEC links DNSSEC Quickstart Internet2 trial next steps DLV registry. DNSSEC Links. www.dnssec.net www.dnssec-deployment.org www.dnssec-tools.org

keola
Download Presentation

DNSSEC BOF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop Madison, WIJuly 19, 2006 DNSSEC BOF

  2. Overview • DNSSEC links • DNSSEC Quickstart • Internet2 trial next steps • DLV registry

  3. DNSSEC Links • www.dnssec.net • www.dnssec-deployment.org • www.dnssec-tools.org • www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt • www.merit.edu/nrd/resources/dnssec_howto.pdf

  4. DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!) • Add “dnssec-enable yes;” to options section of named.conf • dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edu • returns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number • dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edu • returns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number • Add following lines to zonefile (named db.foo.edu) • “$include Kfoo.edu.+005+xxxxx.key” • “$include Kfoo.edu.+005+yyyyy.key” • Generate db.foo.edu.signed file from input db.foo.edu zonefile (signatures will have a lifetime of 90 days (7776000 seconds)) • dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \ -e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key

  5. Internet2 trial next steps • Recruiting new participants • DLV registry deployment • Deploy our own or use existing? • Lobby ARIN to sign in-addr.arpa delegations • October ARIN meeting in St. Louis

  6. DLV – DNSSEC Lookaside Validation • Defined in RFC 4431 • Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chain • Several trials available • www.isc.org/ops/dlv • www.dlv.verisignlabs.com • www.iks-jena.de/leistungen/dnssec.php • Should we create one for Internet2 DNSSEC trial? • Policies for registration?

More Related