Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Published byGary Damon Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested"— Presentation transcript:

1 © 2015 ISC November 2013 Sunset for the DLV?

2 © 2015 ISC Background (c) Interested Bystandr @flickr

3 © 2015 ISC root DS.org,.com.org isc.org ksk dlv.isc.org dlv.isc.org ksk acme.ISPZZ.com.com DS ISPzz.com ISPzz.com DS acme.ISPzz.com acme.ISPzz.com ksk acme.ISPZZ.com.az BillsBanjos.au Design DNSSEC Validation Validate The design calls for a chain of trust from child to parent, all the way back to the root.

4 © 2015 ISC DLV = alternate path to trust anchor root.org isc.org dlv.isc.org DS acme.ISPZZ.com.com ISPzz.com acme.ISPzz.com ksk zcme.ISPZZ.com Validate Before the planned chain of trust was available, the DLV provided a substitute.

5 © 2015 ISC.com zone signed IANA ITAR decommissioned IANA ITAR decommissioned A lot has changed since 2006 DLV IETF Draft DLV IETF Draft 200420052006200720082009 201020112012201320142015 DLV.isc.org Root zone signed Root zone signed ICANN requires new GTLDs sign NSEC3 IETF Draft NSEC3 IETF Draft DNSSEC bis IETF Drafts DNSSEC bis IETF Drafts IANA ITAR ITAR records removed Over 100 ccTLDs are signed ISC begins decommissioning DLV.isc.org? ISC begins decommissioning DLV.isc.org?.edu,.net signed Google, Comcast verify DNSSEC 642 TLDs are signed

6 © 2015 ISC Is DLV now DELAYING deployment? Benefits  Allows a signed zone to be validated even if the parent is not signed  Accepts DS records from anyone  Free service Disadvantages  Reduces pressure on parent to get signed  Reduces pressure on registrars to accept DS records  Validator has to perform an additional query to the DLV when validating

7 © 2015 ISC Who Needs the DLV?  Entities with signed zones under unsigned parent zones (i.e., signed 2nd level domains under unsigned parents)  Entities that Registrars that don't accept DS records.  Signed zones moving from one registrar to a new registrar may benefit from temporary coverage by DLV, esp if first registrar is uncooperative in the move

8 © 2015 ISC ‭DNSSEC Deployed on 586 out of 771 TLDs‬ https://www.icann.org/resources/pages/deployment-graph-2012-02-25-en 76% 10/2014

9 © 2015 ISC Registrar Support  Registrar support for DS records is available but not universal –The 2013 ICANN Registrar Accreditation Agreement requires support  Some DLV users will have to switch registrars, putting appropriate pressure on registrars to support DS records Registrars that support end user ‭ DNSSEC ‬ management, including entry of DS records https://www.icann.org/resources/pages/dep loyment-2012-02-25-en Last updated: 15 December 2014 Updates to: dnssec@icann.org

10 © 2015 ISC Ready to Sunset DLV? Root signed TLDs signed (79%) TLDs have trust anchors in root Registrars supporting DNSSEC validation records for child domains Announcing sunset plan for DLV will encourage this  Remaining gap with registrar transitions

11 © 2015 ISC 1 st Step = Clean Up the Zones 4568 zones configured  2867 fully configured/working zones –only 397 are in an unsigned parent  ~20% fully validate from the root  Notify, and Remove unnecessarily delegated zones  Stop adding new zones  Eventually, remove all zones dlv.isc.org delegation records

12 © 2015 ISC 2015 | 2016|2017| Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. Request owner remove the zone if: 1.If the zone already has DNSSEC records in the parent, and can be validated to the root outside of DLV. 2.The zone could be properly signed (i.e. all of the parent zones are signed up to the root), but for some reason isn't. 3. No more new registrations for zones that could validate outside of DLV 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 4. No new users or zones registered with DLV. 5. Existing zones that could be validated outside of DLV will be purged (~1 year notice) 6. Remaining DLV records will be removed (~1-2 yrs notice) Proposed timeline for shrinking the DLV zone list

13 © 2015 ISC Communications Plan  Discuss with participants at ICANN, DNS-OARC, RIPE, operator meetings –Email to DNS tech discussion lists  Notify current DLV users  Discuss with validating resolver publishers (incl OS packagers)

14 © 2015 ISC root ksk.org,.com.org ksk isc.org isc.org ksk dlv.isc.org dlv.isc.org ksk acme.ISPZZ.com.com ksk ISPzz.com ISPzz.com ksk acme.ISPZZ.com acme.ISPzz.com zsk zcme.ISPZZ.com.az BillsBanjos.au Goal: DNSSEC Validation DNSSEC 2017

15 © 2015 ISC dlv@isc.org

Download ppt "© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested"

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Cairo 2 November 2008 1. Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.

Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Similar presentations

Ads by Google