© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Slides:

Advertisements

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Advertisements

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

Revised Draft Strategic Plan 4 December 2010.

Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

Consumer Trust, Consumer Choice & Competition Presenter: Steve DelBianco Chair: Rosemary Sinclair.

CcTLD/ICANN Contract for Services (Draft Agreements) A Comparison.

ICANN Update: What Next for Trademark Owners? 22 nd Annual Fordham Int’l IP Law & Policy Conference 25 April 2014.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

IETF 531 DNS Discovery Update draft-ietf-ipv6-dns-discovery-04.txt Dave Thaler

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Technical Area Report Byron Ellacott Technical Area Manager.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

ccTLD IDN Report ccTLD Meeting, Montreol June 24, 2003 Young-Eum

Mar 3, 2006APNIC 21 Meeting -- Perth, AU1 IANA Status Report David Conrad, ICANN IANA General Manager.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1 ICANN... update Pablo Hinojosa Manager, Regional Relations Global and Strategic Partnerships 2007 Caribbean Internet Forum St. Lucia, 5 November 2007.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

1 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC BOF Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006.

Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

IDN UPDATE Tina Dam ICANN Chief gTLD Registry Liaison Public Forum, Wellington 30 March 2006.

New Top Level Domains Geoff Huston IAHC. Top Level Domain Names l Country-code name spaces.au.jp.sg.de l Special purpose name spaces.in-addr.arpa.int.mil.

Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

1 IANA Update Mark McFadden IANA Resource Specialist October 2009 ARIN XXIV / Gorgeous Dearborn, MI.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Update on Consumer Choice, Competition and Innovation (CCI) WG Rosemary Sinclair.

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

1 Internationalized Domain Names Paul Twomey 7 April 2008.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”

Security Issues with Domain Name Systems

State of DNSSEC deployment ISOC Advisory Council

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

IDN Variant TLDs Program Update

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

DNS operator transfers with DNSSEC

DNSSEC Status Update in UA

DNSSEC Tutorial: Status “Today”

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

Presentation transcript:

© 2015 ISC November 2013 Sunset for the DLV?

© 2015 ISC Background (c) Interested

© 2015 ISC.com zone signed IANA ITAR decommissioned IANA ITAR decommissioned A lot has changed since 2006 DLV IETF Draft DLV IETF Draft DLV.isc.org Root zone signed Root zone signed ICANN requires new GTLDs sign NSEC3 IETF Draft NSEC3 IETF Draft DNSSEC bis IETF Drafts DNSSEC bis IETF Drafts IANA ITAR ITAR records removed Over 100 ccTLDs are signed ISC begins decommissioning DLV.isc.org? ISC begins decommissioning DLV.isc.org?.edu,.net signed Google, Comcast verify DNSSEC 642 TLDs are signed

© 2015 ISC Is DLV now DELAYING deployment? Benefits  Allows a signed zone to be validated even if the parent is not signed  Accepts DS records from anyone  Free service Disadvantages  Reduces pressure on parent to get signed  Reduces pressure on registrars to accept DS records  Validator has to perform an additional query to the DLV when validating

© 2015 ISC Who Needs the DLV?  Entities with signed zones under unsigned parent zones (i.e., signed 2nd level domains under unsigned parents)  Entities that Registrars that don't accept DS records. (Though the 2013 ICANN Registrar Accreditation Agreement require them to…)  Signed zones moving from one registrar to a new registrar may benefit from temporary coverage by DLV, esp if first registrar is uncooperative in the move

© 2015 ISC Registrar Support  Registrar support for DS records is available but not universal  Some DLV users will have to switch registrars, putting appropriate pressure on registrars to support DS records Registrars that support end user ‭ DNSSEC ‬ management, including entry of DS records loyment en Last updated: 15 December 2014 Updates to:

© 2015 ISC Ready to Sunset DLV? Root signed TLDs signed (79%) TLDs have trust anchors in root  Registrars supporting DNSSEC validation records for child domains Announcing sunset plan for DLV will encourage this Remaining gap with registrar transitions

© 2015 ISC 1 st Step = Clean Up the Zones 4568 zones configured  2867 fully configured/working zones –only 397 are in an unsigned parent  ~20% fully validate from the root  Notify, and Remove unnecessarily delegated zones  Stop adding new zones  Eventually, remove all zones dlv.isc.org delegation records

© 2015 ISC 2015 | 2016|2017| Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. 3. No more new registrations for zones that could validate outside of DLV 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 6. Remaining DLV records will be removed (~1-2 yrs notice) Proposed timeline for shrinking the DLV zone list

© 2015 ISC Communications Plan  Discuss with participants at ICANN, DNS-OARC, RIPE, operator meetings – to DNS tech discussion lists  Notify current DLV users  Discuss with validating resolver publishers (incl OS packagers)

© 2015 ISC Any Concerns  Further suggestions about whom to notify?

© 2015 ISC