Internet 2 DNSSEC Pilot Shumon Huque University of

Description of the Pilot • Goal: Deploy DNSSEC and gain operational experience • Participants

A little background. . • Feb ‘ 06: DNSSEC Workshop held at Albuquerque Joint

Co-ordination • Internet 2 and Shinkuro • Partner in DNSSEC Deployment Initiative • http:

DNSSEC Deployment Efforts so far • MAGPI Giga. Po. P • All zones: magpi.

Deployments in the pipeline. . • University of Pennsylvania • University of California -

Ongoing work & discussion • To DLV or not? (and if so, which registry?

More participants welcome! • (participation not restricted to Internet 2) • Join mailing list

References • Internet 2 DNSSEC Pilot • http: //www. dnssec-deployment. org/internet 2/ • http:

References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: •

Questions? • Shumon Huque • shuque -at- isc. upenn. edu 11 Shumon Huque

Slides: 11

Download presentation

Internet 2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet 2 Joint Techs Workshop Madison, Wisconsin, U. S. A. , July 19 th 2006

Description of the Pilot • Goal: Deploy DNSSEC and gain operational experience • Participants sign at least one of their zones • Exchange keys (trust anchors) that will allow them to mutually validate DNS data • Setup security-aware resolvers • configured with the trust anchors 2 Shumon Huque

A little background. . • Feb ‘ 06: DNSSEC Workshop held at Albuquerque Joint Techs • Mar ‘ 06: dnssec@internet 2 mailing list • Apr ‘ 06: Internet 2 Spring Member meeting • Advisory group formed and plans for a pilot project formulated • May ‘ 06: Pilot group began • Bi-weekly conference calls and progress reports 3 Shumon Huque

Co-ordination • Internet 2 and Shinkuro • Partner in DNSSEC Deployment Initiative • http: //www. dnssec-deployment. org/ • Some funding from US government 4 Shumon Huque

DNSSEC Deployment Efforts so far • MAGPI Giga. Po. P • All zones: magpi. {net, org} & 15 reverse zones • https: //rosetta. upenn. edu/magpi/dnssec. html • MERIT • radb. net • nanog. org • NYSERNet - test zone • nyserlab. org 5 Shumon Huque

Deployments in the pipeline. . • University of Pennsylvania • University of California - Berkeley • University of California - Los Angeles • University of Massachusetts - Amherst • Internet 2 6 Shumon Huque

Ongoing work & discussion • To DLV or not? (and if so, which registry? ) • “DNSSEC Lookaside Validation” • Deploy NSEC 3 or not? • Stub resolver security • Key maintenance & rollover policies • Secure delegations from parents • . edu, . net, . org, . in-addr. arpa 7 Shumon Huque

More participants welcome! • (participation not restricted to Internet 2) • Join mailing list • Participate in con calls • DNSSEC Bo. F @ lunchtime today 8 Shumon Huque

References • Internet 2 DNSSEC Pilot • http: //www. dnssec-deployment. org/internet 2/ • http: //rosetta. upenn. edu/magpi/dnssec. html • Mailing list: dnssec@internet 2. edu • https: //mail. internet 2. edu/wws/info/dnssec • Internet 2 DNSSEC Workshop • http: //events. internet 2. edu/2006/jtalbuquerque/session. Details. cfm? session=2491&ev ent=243 9 Shumon Huque

References (2) • DNSSEC(bis) technical specs: • RFC 4033, 4034, 4035 • Related: • Threat analysis of the DNS: RFC 3833 • Operational practices • draft-ietf-dnsop-dnssec-operational-practices-08 • NSEC 3: draft-ietf-dnsext-nsec 3 -05 • DLV: draft-weiler-dnssec-dlv-01 • ISC DLV registry: • http: //www. isc. org/index. pl? /ops/dlv/ 10 Shumon Huque

Questions? • Shumon Huque • shuque -at- isc. upenn. edu 11 Shumon Huque