Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
DNSSEC BOF PowerPoint Presentation

DNSSEC BOF

274 Vues Download Presentation
Télécharger la présentation

DNSSEC BOF

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Larry J. Blunk, Merit NetworkInternet2 Joint Techs Workshop Madison, WIJuly 19, 2006 DNSSEC BOF

  2. Overview • DNSSEC links • DNSSEC Quickstart • Internet2 trial next steps • DLV registry

  3. DNSSEC Links • www.dnssec.net • www.dnssec-deployment.org • www.dnssec-tools.org • www.internet2.edu/presentations/jt2006feb/20060208-dnssec-kolkmanmankin.ppt • www.merit.edu/nrd/resources/dnssec_howto.pdf

  4. DNSSEC Quickstart(I don’t care how it works, just tell me what commands to type!!) • Add “dnssec-enable yes;” to options section of named.conf • dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edu • returns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number • dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edu • returns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number • Add following lines to zonefile (named db.foo.edu) • “$include Kfoo.edu.+005+xxxxx.key” • “$include Kfoo.edu.+005+yyyyy.key” • Generate db.foo.edu.signed file from input db.foo.edu zonefile (signatures will have a lifetime of 90 days (7776000 seconds)) • dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \ -e +7776000 db.foo.edu Kfoo.edu.+005+xxxxx.key

  5. Internet2 trial next steps • Recruiting new participants • DLV registry deployment • Deploy our own or use existing? • Lobby ARIN to sign in-addr.arpa delegations • October ARIN meeting in St. Louis

  6. DLV – DNSSEC Lookaside Validation • Defined in RFC 4431 • Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chain • Several trials available • www.isc.org/ops/dlv • www.dlv.verisignlabs.com • www.iks-jena.de/leistungen/dnssec.php • Should we create one for Internet2 DNSSEC trial? • Policies for registration?