1 / 10

DNSSEC implmentations @ IETF-60 2004/08/02

This document provides an overview of various tools and implementations for DNSSEC, including key management and zone signing utilities. It details tools like BIND 9.3.0 for generating DNSKEY records and signing zones, as well as maintenance tools for trust anchors using n-of-m and revoke bit schemas. The NIST Secure Zone Integrity Tester is introduced for compliance checks. Additionally, it discusses the support for authoritative servers, recursive validating servers, and simple DNSSEC testing tools like Dig and Drill. The importance of independent implementations for advancing DNSSEC standards is emphasized.

kemp
Télécharger la présentation

DNSSEC implmentations @ IETF-60 2004/08/02

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSEC implmentations@ IETF-60 2004/08/02 Olafur Gudmundsson

  2. Key management tools • Bind-9.3.0 dnssec-keygen: • Generates DNSKEY=s and KEY records depending on input parameters. • Net::DNS::SEC::Maint::Key • Toolkit for maintaining keys for zone signing. • Olaf Kolkman

  3. Trust anchor tools • Net-DNS-SEC-Utils-TrustedKeys • Tool to maintain trust anchors up to date using a n-of-m schema • Olaf Kolkman • RB-TrustAnchor • Tool to maintain trust anchors up to date using the revoke bit schema • Olafur Gudmundsson

  4. Zone signing • Bind-9.3.0: dnssec-signzone • Fully Signs a zone • NIST Secure Zone Integrity Tester • Tool to check zone before and after signing for compliance with DNSSEC-bis.

  5. Serving • NSD: • Authoritative Server • full support. • Bind-9.3.0: • Authoritative server • Full Support • Recursive valdating server: • Full support

  6. End Resolvers • Bind-9.3.0 www.isc.org • Stub resolver with TSIG and AD support. • Dig: +sigchase is a simple dnssec validator with supplied trust anchors. • DNSJava • Stub resolver with TSIG and AD support • Drill • Simple DNSSEC testing tool • Miek Gieben

  7. Documentation • DNSEC HowTo • Olaf Kolkman (not ready yet) • NIST 800 series document - DNS Security Administrators Guide • Scott Rose http://www-x.antd.nist.gov/dnssec

  8. Testing tools • DNSSEC server benchmark test • Scott Rose http://www-x.antd.nist.gov/dnssec

  9. DNS(sec) API • Some of the efforts claim to have exported API, not the same. • Do we need to standarize DNS API? • GetRRsetByName() • ???

  10. Final comments • Good number of early tools • Only tools reported to me included, some other projects out there. • Looking forward: Advancing DNSSEC-bis documents we need two independent implementaitons of all functional units. • Close but some more needed, in particular we like more recursive caching resolvers.

More Related