(last notes from NANOG37, yay! I definitely fell further behind this time around than in Dallas. Unfortunately, I don't think I'll be allowed to go to St. Louis, so I probably won't be able to provide notes for NANOG38. --Matt) 2006.06.07 Deploying DNSSEC--bootstrap yourself Joao Damas, ISC [notes are at http://www.nanog.org/mtg-0606/pdf/joao-damas.pdf DNSSEC status standard is complete and usable some minor nits with regards to some privacy issues 2 implementations: NSD, BIND at least one DNSSEC aware resolver (BIND 9.3.2 and later) Really, you just need some data. DNSSEC follows a hierarchical model for signatures. sign the root zone get root zone to delegation sign TLDs get TLDs to delegation-sign SLDs, etc. Today, the root zone remains unsigned likely will be this way for some time Very few TLDs have signed their zones and offer delegation signatures .se, .ru, .org DNSSEC provides for local trust anchors you can use trust-anchors clause in BIND problem: if you have too many, it becomes a nightmare to maintain, so it doesn't get used. very manual process Enter DLV, domain lookaside validation it's an implementation feature, not a change to the protocol; matter of local policy enables access to a remote, signed repository of trust anchors, via the DNS implemented in BINDs resolver so far more to follow? unfortunately, requires you to trust remote repository DLV lookup a DLV enabled resolver will try to find a secure entry point using regular DNSSEC; only if it fails is DLV used, if it is configured. [picture of DLV lookup chain] On resolver (BIND) add to named.conf in the options section //DNSSEC conifg dnnssec-enable yes dnssec-lookaside . trust-anchor dlv.isc.org.; get the key from ISC's web: http://www.isc.org/ops/dlv ISC is operating a DLV registry free of charge for anone who wants to secure their DNS Likely some closed orgs will use their own (eg mil) have a look, start using it! Any questions? Q: Mark Kosters, Verisign: Any plans to configure DLV registries per TLD? A: BIND code only allows for one right now. Q: Would be good to allow it to be configured per TLD. Q: Randy Bush, IIJ: some feeling or understanding how IANA, root would validate keys/zones it has keys for; don't understand how ISC proposes to validate keys it would be storing. He suggests they publish the security policy. A: In case of registrars proxying keys; they trust registrar. Otherwise, it's like PGP; show me your face, show me your key. Q: Paul vixie, ISC, following up on Mark Kosters; you can only have one DLV for any point in the namespace; you can specify a different one for a TLD than root; that allows a TLD DLV to be paranoid, like .mil. who doesn't want to trust anyone else with key information. If every TLD wanted to do that, they would find high levels of cut-and-paste fatigue, so ISC will operate a root level DLV server as well. Q: Rick Wesson, runs Alice's Registry, a small registrar. he's considering doing this, he can help DNS holders register their keys if people are interested, and will help get them into the DLV tree. Q: Sam Wiler?, Sparta: concerns from Randy about how ISC will authenticate the entries. Registrars should consider running their own DLV servers, as they have the relationship with the domain holder. Code? Apparently you don't need code... NANOG 37, ending slides. 425 attendees, 118 first timers lots of countries most USA, 11 canada, scattered others. ISP, then NSP, then other categories. top 3 companies represented: Cisco, Juniper, Equinix HUGE thanks to Rodney Joffe and Neustar for puling off a miracle to make this happen at the last minute! Thanks to sponsors, bear, gear, other. Susan R Harris, many thanks to her for all the work she has put in over the years and to make this happen! Also huge thanks to all the other people at Merit And we'll see you in St. Luis, Oct 8-10th, joint meeting with ARIN, things set in stone. Network will go down in 30 minutes or so--pack up and go home! :) I think that was the fastest closing I've seen at a NANOG yet. ^_^;;