.nl.nl experiment
Running DNSSEC at TLD registries
Miek Gieben
NLnet Labs
miek@nlnetlabs.nl
Contents:
1. Why this experiment
- Is DNSSEC ready for deployment?
- find operational problems
- gather hands on experience
- Write down procedures and policy
- first key exchange (!)
- key roll over
- emergency (stolen private key)
- Can people work with DNSSEC?
Setup of .nl.nl
- Secure shadow tree (.nl.nl) next to .nl
- Separate registry with email interface
- Sign .nl.nl on a daily basis
- Use DNSSEC KEY as identification
2. Results
- Gained knowledge and experience
- DNSSEC was not ready
- operational and scaling problems found
- Minimize parent/child communication
- DS record allows for this
- with DS we could try the experiment again
- Maintenance burder is very (too?) high
Current .nl.nl status
- At one point 18 zones working under .nl.nl
- Experiment still active, but with only 2 zones
- All other turned bad due to expiration
- We have a serious maintenance problem
3. Future plans
- Terminating the .nl.nl experiment
- Deploying DNSSEC in .nl (for real)
DNSSEC in .nl | Setup6
- whois data from .nl as starting point
- used for first key exchange
DNSSEC in .nl | Policy decisions
- Private key compromise, what do you do?
- Use positive feedback loop
- everything will need confirmation of techc/adminc/holder
- Use negative feedback loop
- no one screams "stop", continu the operation
DNSSEC in .nl | Problems
- Education of holder/registrars/etc
- Shouldn't mess with current .nl zone
- Some secondaries may not be able to handle DNSSEC RRs
- Keep shadow nameserver in sync with real (non-DNSSEC) servers
DNSSEC in .nl | Implementation
- General idea
- use whois data
- for the NS ip addresses
- starting point of trust relation
- secure registry totally separate from normal reg
- separate secure nameservers and caching forwarders
DNSSEC IN .nl | Implementation
- Currently Implemented
- make secure ( 3 steps) + feedback
- block zone ( 2 steps) + feedback
- update key ( 3 steps) + feedback
- signing machine is ready (Alpha + Linux)
- Todo
- email robot
- database tweaks
DNSSEC in .nl | Current status
- Registry is expected to be finished in june
- Next: testing
Secure caching forwarder +
shadow .nl zone
=
DNSSEC in .nl
Contact info and websites
Miek Gieben
miek@nlnetlabs.nl
dnssec@nlnetlabs.nl
http://secnl.nlnetlabs.nl
|