.nl.nl experiment

Running DNSSEC at TLD registries



Miek Gieben
NLnet Labs

miek@nlnetlabs.nl

Contents:
  • 1.Why this experiment
  • 2.Results
  • 3.Future plans

1. Why this experiment

  • Is DNSSEC ready for deployment?
    • find operational problems
    • gather hands on experience
  • Write down procedures and policy
    • first key exchange (!)
    • key roll over
    • emergency (stolen private key)
  • Can people work with DNSSEC?
    • workshops
Setup of .nl.nl
  • In cooperation with
    • CENTR
    • SIDN
    • RIPE NCC
  • Secure shadow tree (.nl.nl) next to .nl
  • Separate registry with email interface
  • Sign .nl.nl on a daily basis
  • Use DNSSEC KEY as identification

2. Results

  • Gained knowledge and experience
  • DNSSEC was not ready
    • operational and scaling problems found
  • Minimize parent/child communication
    • DS record allows for this
    • with DS we could try the experiment again
  • BIND9 difficult to use
  • Maintenance burder is very (too?) high
Current .nl.nl status
  • At one point 18 zones working under .nl.nl
  • Experiment still active, but with only 2 zones
  • All other turned bad due to expiration
  • We have a serious maintenance problem

3. Future plans

  • Terminating the .nl.nl experiment
  • Deploying DNSSEC in .nl (for real)
DNSSEC in .nl | Setup6
  • Setup
    • 2535 + DS is used
    • no OPT-IN
    • website + email robot
    • separate signing machine
    • whois data from .nl as starting point
      • used for first key exchange
DNSSEC in .nl | Policy decisions
  • Private key compromise, what do you do?
  • Use positive feedback loop
    • everything will need confirmation of techc/adminc/holder
  • Use negative feedback loop
    • no one screams "stop", continu the operation
  • DNSSEC as PKI?
    • not (yet?) in .nl
DNSSEC in .nl | Problems
  • Education of holder/registrars/etc
  • Shouldn't mess with current .nl zone
  • Some secondaries may not be able to handle DNSSEC RRs
    • solution in sight
  • First key exchange
  • Keep shadow nameserver in sync with real (non-DNSSEC) servers
DNSSEC in .nl | Implementation
  • General idea
    • use whois data
      • for the NS ip addresses
      • starting point of trust relation
    • secure registry totally separate from normal reg
    • separate secure nameservers and caching forwarders
    • sign once a day
DNSSEC IN .nl | Implementation
  • Currently Implemented
    • make secure ( 3 steps) + feedback
    • block zone ( 2 steps) + feedback
    • update key ( 3 steps) + feedback
    • signing machine is ready (Alpha + Linux)
  • Todo
    • email robot
    • database tweaks
DNSSEC in .nl | Current status
  • Registry is expected to be finished in june
  • Next: testing
  • Point your resolver to:
Secure caching forwarder +
shadow .nl zone
=
DNSSEC in .nl

Contact info and websites

Miek Gieben
miek@nlnetlabs.nl
dnssec@nlnetlabs.nl

http://secnl.nlnetlabs.nl