Hi ARIN is now signing the /8 zones that it is authoritative for (eg 192.in-addr.arpa, etc). This the phase two of a three-phase process. Given that in-addr.arpa is not yet signed, we have published a list of trust anchors that you can download to configure on your local recursive resolvers. Additional details are at http://www.arin.net/about_us/dnssec/ Regards, Mark Kosters ARIN CTO
On Thu, Jul 2, 2009 at 11:06 AM, Mark Kosters<markk@arin.net> wrote:
Hi
ARIN is now signing the /8 zones that it is authoritative for (eg 192.in-addr.arpa, etc).
Thanks! (in case no one else mentioned it) -Chris
This the phase two of a three-phase process. Given that in-addr.arpa is not yet signed, we have published a list of trust anchors that you can download to configure on your local recursive resolvers.
Additional details are at http://www.arin.net/about_us/dnssec/
Regards, Mark Kosters ARIN CTO
On Fri, 03 Jul 2009 12:21:36 +0900 Randy Bush <randy@psg.com> wrote:
On Thu, Jul 2, 2009 at 11:06 AM, Mark Kosters<markk@arin.net> wrote:
ARIN is now signing the /8 zones that it is authoritative for (eg 192.in-addr.arpa, etc). Thanks!
indeed!
Wonderful! --Steve Bellovin, http://www.cs.columbia.edu/~smb
Hi Mark, Are there any high level operational details you could share? Specifically, are you using any commercial/OSS software to handle the (automated?) periodic key roll overs? Are you using bind? Do you have any experience or suggestions on what version to start with? Given that phase 3 is still a work in progress - do you anticipate giving ARIN members an automated/scripted way to submit their delegation records? Thanks! - Dan Mark Kosters wrote:
Hi
ARIN is now signing the /8 zones that it is authoritative for (eg 192.in-addr.arpa, etc).
This the phase two of a three-phase process. Given that in-addr.arpa is not yet signed, we have published a list of trust anchors that you can download to configure on your local recursive resolvers.
Additional details are at http://www.arin.net/about_us/dnssec/
Regards, Mark Kosters ARIN CTO
On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
Are there any high level operational details you could share?
Specifically, are you using any commercial/OSS software to handle the (automated?) periodic key roll overs?
We looked at Secure64's product but decided to follow the open source route. We are using ISC's bind (9.6.1) for resolution service on ARIN-hosted servers and I'm not sure what VerSign does on theirs (they secondary the /8's as well) but it is modern enough to support NSEC RR's. As far as the zone signing and key management is concerned, we are using zkt (http://www.hznet.de/dns/zkt/) and are basically following RIPE's model for zone signing.
Are you using bind? Do you have any experience or suggestions on what version to start with?
Depends on what you want to do. For example, we are using plain old NSEC which bind has supported for a while. If you want to support the shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later. There are other authoritative servers that support DNSSEC as well - NSD comes to mind but I'm sure there are others as well.
Given that phase 3 is still a work in progress - do you anticipate giving ARIN members an automated/scripted way to submit their delegation records?
ARIN Online is going to have a management interface to insert DS RR's. It would be good to hear from you and others on what sorts of ways you would want to interface with us on bulk data transfers/uploads etc. We had a BOF related to this with SWIPS at the last ARIN meeting and received a lot of good feedback with the conclusion that using a restful service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others. Regards, Mark
In message <20090707171251.GA2797@arin.net>, Mark Kosters writes:
On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
Are there any high level operational details you could share?
Specifically, are you using any commercial/OSS software to handle the (automated?) periodic key roll overs?
We looked at Secure64's product but decided to follow the open source route. We are using ISC's bind (9.6.1) for resolution service on ARIN-hosted servers and I'm not sure what VerSign does on theirs (they secondary the /8's as well) but it is modern enough to support NSEC RR's. As far as the zone signing and key management is concerned, we are using zkt (http://www.hznet.de/dns/zkt/) and are basically following RIPE's model for zone signing.
Are you using bind? Do you have any experience or suggestions on what version to start with?
Depends on what you want to do. For example, we are using plain old NSEC which bind has supported for a while. If you want to support the shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later. There are other authoritative servers that support DNSSEC as well - NSD comes to mind but I'm sure there are others as well.
Given that phase 3 is still a work in progress - do you anticipate giving ARIN members an automated/scripted way to submit their delegation records?
ARIN Online is going to have a management interface to insert DS RR's. It would be good to hear from you and others on what sorts of ways you would want to interface with us on bulk data transfers/uploads etc. We had a BOF related to this with SWIPS at the last ARIN meeting and received a lot of good feedback with the conclusion that using a restful service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others.
Regards, Mark
DS (DNSKEY?) to parent is a general problem which needs to be solved for all delegations. It would be nice if this could be completely in-band child master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent. Nanog however isn't the venue to discuss this. I would think IETF DNSEXT WG <namedroppers@ops.ietf.org> would be a reasonable place to hold the discussion. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
In message <20090707171251.GA2797@arin.net>, Mark Kosters writes:
On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
Are there any high level operational details you could share?
Specifically, are you using any commercial/OSS software to handle the (automated?) periodic key roll overs?
We looked at Secure64's product but decided to follow the open source route. We are using ISC's bind (9.6.1) for resolution service on ARIN-hosted servers and I'm not sure what VerSign does on theirs (they secondary the /8's as well) but it is modern enough to support NSEC RR's. As far as the zone signing and key management is concerned, we are using zkt (http://www.hznet.de/dns/zkt/) and are basically following RIPE's model for zone signing.
Are you using bind? Do you have any experience or suggestions on what version to start with?
Depends on what you want to do. For example, we are using plain old NSEC which bind has supported for a while. If you want to support the shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later. There are other authoritative servers that support DNSSEC as well - NSD comes to mind but I'm sure there are others as well.
Given that phase 3 is still a work in progress - do you anticipate giving ARIN members an automated/scripted way to submit their delegation records?
ARIN Online is going to have a management interface to insert DS RR's. It would be good to hear from you and others on what sorts of ways you would want to interface with us on bulk data transfers/uploads etc. We had a BOF related to this with SWIPS at the last ARIN meeting and received a lot of good feedback with the conclusion that using a restful service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others.
Regards, Mark
DS (DNSKEY?) to parent is a general problem which needs to be solved for all delegations. It would be nice if this could be completely in-band child master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent.
Nanog however isn't the venue to discuss this. I would think IETF DNSEXT WG <namedroppers@ops.ietf.org> would be a reasonable place to hold the discussion.
Mark
hey, thats what the CADR tool does. fully in-band maintainace for the child/parent interactions. only needs manual re-keying if a party loses control of the credential. --bill
In message <20090708013805.GA1838@vacation.karoshi.com.>, bmanning@vacation.kar oshi.com writes:
On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
In message <20090707171251.GA2797@arin.net>, Mark Kosters writes:
On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
Are there any high level operational details you could share?
Specifically, are you using any commercial/OSS software to handle the (automated?) periodic key roll overs?
We looked at Secure64's product but decided to follow the open source route. We are using ISC's bind (9.6.1) for resolution service on ARIN-hosted servers and I'm not sure what VerSign does on theirs (they secondary the /8's as well) but it is modern enough to support NSEC RR's. As far as the zone signing and key management is concerned, we
are using zkt (http://www.hznet.de/dns/zkt/) and are basically following RIPE's model for zone signing.
Are you using bind? Do you have any experience or suggestions on what version to start with?
Depends on what you want to do. For example, we are using plain old NSEC which bind has supported for a while. If you want to support the
shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later. There are other authoritative servers that support DNSSEC as well - NSD comes to mind but I'm sure there are others as well.
Given that phase 3 is still a work in progress - do you anticipate giving ARIN members an automated/scripted way to submit their delegatio n records?
ARIN Online is going to have a management interface to insert DS RR's. It would be good to hear from you and others on what sorts of ways you would want to interface with us on bulk data transfers/uploads etc. We had a BOF related to this with SWIPS at the last ARIN meeting and
received a lot of good feedback with the conclusion that using a restful service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others.
Regards, Mark
DS (DNSKEY?) to parent is a general problem which needs to be solved for all delegations. It would be nice if this could be completely in-band child master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent.
Nanog however isn't the venue to discuss this. I would think IETF DNSEXT WG <namedroppers@ops.ietf.org> would be a reasonable place to hold the discussion.
Mark
hey, thats what the CADR tool does. fully in-band maintainace for the child/parent interactions. only needs manual re-keying if a party loses control of the credential.
It would be nice if http://www.rs.net/cadr/ wan't a blank page. Mark
--bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote:
received a lot of good feedback with the conclusion that using a restful service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others.
Regards, Mark (Kosters)
DS (DNSKEY?) to parent is a general problem which needs to be solved for all delegations. It would be nice if this could be completely in-band child master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent.
Mark (Andrews)
hey, thats what the CADR tool does. fully in-band maintainace for the child/parent interactions. only needs manual re-keying if a party loses control of the credential. -- bill
It would be nice if http://www.rs.net/cadr/ wan't a blank page.
Mark (Andrews)
You mean someone wants the code? I'll be happy to put it back up if folks are interested. --bill
In message <20090708025854.GA1519@vacation.karoshi.com.>, bmanning@vacation.kar oshi.com writes:
On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote:
received a lot of good feedback with the conclusion that using a rest
ful
service would be a useful transport for this type of data transfer. We certainly need your feedback on future services and encourage you and others to join an upcoming ARIN meeting so that we can get good direction from you and others.
Regards, Mark (Kosters)
DS (DNSKEY?) to parent is a general problem which needs to be solved for all delegations. It would be nice if this could be completely in-band child master to parent master so humans were completely out of the loop except to establish the initial DS RRset in the parent.
Mark (Andrews)
hey, thats what the CADR tool does. fully in-band maintainace for the child/parent interactions. only needs manual re-keying if a party loses control of the credential. -- bill
It would be nice if http://www.rs.net/cadr/ wan't a blank page.
Mark (Andrews)
You mean someone wants the code? I'll be happy to put it back up if folks are interested.
I wanted to look at it. Updating the parent is something that need to be automated and if this does it well enough why re-invent the wheel if we don't have to. I can see several way to do it within the DNS frame work. Can I presume you are willing to have the method turned into a RFC? Mark
--bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Wed, 8 Jul 2009, bmanning@vacation.karoshi.com wrote:
You mean someone wants the code? I'll be happy to put it back up if folks are interested.
Thanks for putting the web pages back up. Is it possibl to publish the code too? Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
On Wed, Jul 08, 2009 at 11:58:17AM +1000, Mark Andrews wrote:
hey, thats what the CADR tool does. fully in-band maintainace for the child/parent interactions. only needs manual re-keying if a party loses control of the credential. -- bill
It would be nice if http://www.rs.net/cadr/ wan't a blank page.
Mark
for you, the pages are back. --bill
participants (8)
-
bmanning@vacation.karoshi.com -
Christopher Morrow -
Dan White -
Mark Andrews -
Mark Kosters -
Randy Bush -
Steven M. Bellovin -
Tony Finch