1 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC BOF Larry J. Blunk, Merit Network Internet2 Joint Techs Workshop Madison, WI July 19, 2006
2 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC links DNSSEC Quickstart Internet2 trial next steps DLV registry Overview
3 Internet2 Joint Techs DNSSEC BOF July 19, dnssec-kolkmanmankin.ppt DNSSEC Links
4 Internet2 Joint Techs DNSSEC BOF July 19, DNSSEC Quickstart (I don’t care how it works, just tell me what commands to type!!) Add “dnssec-enable yes;” to options section of named.conf dnssec-keygen –r/dev/urandom –aRSASHA1 –b1024 –nZONE foo.edu returns “Kfoo.edu.+005+xxxxx” where xxxxx is 5 digit random number dnssec-keygen –r/dev/urandom –fKSK –aRSASHA1 –b1024 –nZONE foo.edu returns “Kfoo.edu.+005+yyyyy” where yyyyy is 5 digit random number Add following lines to zonefile (named db.foo.edu) “$include Kfoo.edu.+005+xxxxx.key” “$include Kfoo.edu.+005+yyyyy.key” Generate db.foo.edu.signed file from input db.foo.edu zonefile (signatures will have a lifetime of 90 days ( seconds)) dnssec-signzone –r/dev/urandom –o foo.edu –k Kfoo.edu.+005+yyyyy \ -e db.foo.edu Kfoo.edu.+005+xxxxx.key
5 Internet2 Joint Techs DNSSEC BOF July 19, Recruiting new participants DLV registry deployment Deploy our own or use existing? Lobby ARIN to sign in-addr.arpa delegations October ARIN meeting in St. Louis Internet2 trial next steps
6 Internet2 Joint Techs DNSSEC BOF July 19, DLV – DNSSEC Lookaside Validation Defined in RFC 4431 Mechanism for publishing DNSSEC trust anchors outside of the DNS delegation chain Several trials available Should we create one for Internet2 DNSSEC trial? Policies for registration?