Internet2 dnssec pilot
Download
1 / 11

Internet2 DNSSEC Pilot - PowerPoint PPT Presentation


  • 38 Views
  • Uploaded on

Internet2 DNSSEC Pilot. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006. Description of the Pilot. Goal: Deploy DNSSEC and gain operational experience Participants sign at least one of their zones

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Internet2 DNSSEC Pilot' - macey-vaughan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Internet2 dnssec pilot

Internet2 DNSSEC Pilot

Shumon Huque

University of Pennsylvania

ESCC/Internet2 Joint Techs Workshop

Madison, Wisconsin, U.S.A., July 19th 2006


Description of the pilot
Description of the Pilot

  • Goal: Deploy DNSSEC and gain operational experience

  • Participants sign at least one of their zones

  • Exchange keys (trust anchors) that will allow them to mutually validate DNS data

  • Setup security-aware resolvers

    • configured with the trust anchors


A little background
A little background ..

  • Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs

  • Mar ‘06: [email protected] mailing list

  • Apr ‘06: Internet2 Spring Member meeting

    • Advisory group formed and plans for a pilot project formulated

  • May ‘06: Pilot group began

    • Bi-weekly conference calls and progress reports


Co ordination
Co-ordination

  • Internet2 and Shinkuro

  • Partner in DNSSEC Deployment Initiative

    • http://www.dnssec-deployment.org/

  • Some funding from US government


Dnssec deployment efforts so far
DNSSEC Deployment Efforts so far

  • MAGPI GigaPoP

    • All zones: magpi.{net,org} & 15 reverse zones

    • https://rosetta.upenn.edu/magpi/dnssec.html

  • MERIT

    • radb.net

    • nanog.org

  • NYSERNet - test zone

    • nyserlab.org


Deployments in the pipeline
Deployments in the pipeline ..

  • University of Pennsylvania

  • University of California - Berkeley

  • University of California - Los Angeles

  • University of Massachusetts - Amherst

  • Internet2


Ongoing work discussion
Ongoing work & discussion

  • To DLV or not? (and if so, which registry?)

    • “DNSSEC Lookaside Validation”

  • Deploy NSEC3 or not?

  • Stub resolver security

  • Key maintenance & rollover policies

  • Secure delegations from parents

    • .edu, .net, .org, .in-addr.arpa


More participants welcome
More participants welcome!

  • (participation not restricted to Internet2)

  • Join mailing list

  • Participate in con calls

  • DNSSEC BoF @ lunchtime today


References
References

  • Internet2 DNSSEC Pilot

    • http://www.dnssec-deployment.org/internet2/

    • http://rosetta.upenn.edu/magpi/dnssec.html

  • Mailing list: [email protected]

    • https://mail.internet2.edu/wws/info/dnssec

  • Internet2 DNSSEC Workshop

    • http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2491&event=243


References 2
References (2)

  • DNSSEC(bis) technical specs:

    • RFC 4033, 4034, 4035

  • Related:

    • Threat analysis of the DNS: RFC 3833

    • Operational practices

      • draft-ietf-dnsop-dnssec-operational-practices-08

    • NSEC3: draft-ietf-dnsext-nsec3-05

    • DLV: draft-weiler-dnssec-dlv-01

    • ISC DLV registry:

      • http://www.isc.org/index.pl?/ops/dlv/


Questions
Questions?

  • Shumon Huque

    • shuque -at- isc.upenn.edu


ad