Larry J. Blunk, Merit Network
This presentation is the property of its rightful owner.
Sponsored Links
1 / 6

DNSSEC BOF PowerPoint PPT Presentation


  • 190 Views
  • Uploaded on
  • Presentation posted in: General

Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006. DNSSEC BOF. Overview. DNSSEC links DNSSEC Quickstart Internet2 trial next steps DLV registry. DNSSEC Links. www.dnssec.net www.dnssec-deployment.org www.dnssec-tools.org

Download Presentation

DNSSEC BOF

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dnssec bof

Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop

Madison, WIJuly 19, 2006

DNSSEC BOF


Overview

Overview

  • DNSSEC links

  • DNSSEC Quickstart

  • Internet2 trial next steps

  • DLV registry


Dnssec links

DNSSEC Links

  • www.dnssec.net

  • www.dnssec-deployment.org

  • www.dnssec-tools.org

  • www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt

  • www.merit.edu/nrd/resources/dnssec_howto.pdf


Dnssec quickstart i don t care how it works just tell me what commands to type

DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!)

  • Add “dnssec-enable yes;” to options section of named.conf

  • dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edu

    • returns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number

  • dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edu

    • returns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number

  • Add following lines to zonefile (named db.foo.edu)

    • “$include Kfoo.edu.+005+xxxxx.key”

    • “$include Kfoo.edu.+005+yyyyy.key”

  • Generate db.foo.edu.signed file from input db.foo.edu zonefile (signatures will have a lifetime of 90 days (7776000 seconds))

  • dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \

    -e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key


Internet2 trial next steps

Internet2 trial next steps

  • Recruiting new participants

  • DLV registry deployment

    • Deploy our own or use existing?

  • Lobby ARIN to sign in-addr.arpa delegations

    • October ARIN meeting in St. Louis


Dlv dnssec lookaside validation

DLV – DNSSEC Lookaside Validation

  • Defined in RFC 4431

  • Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chain

  • Several trials available

    • www.isc.org/ops/dlv

    • www.dlv.verisignlabs.com

    • www.iks-jena.de/leistungen/dnssec.php

  • Should we create one for Internet2 DNSSEC trial?

    • Policies for registration?


  • Login