DNSSEC in .nl
a shadow deployment of DNSSEC
NLnetLabs / SIDN
Miek Gieben
miek@nlnetlabs.nl
miek@nlnetlabs.nl
Contents
Deployment
2/1
- Combined effort of NLnetLabs and SIDN
- Experiment officially started Nov 1st 2002
- will run until Nov 1st 2003
- SECREG
- SECure REGistry: secreg.nlnetlabs.nl
- email interface not (yet) functional
- web interface - registration, blocking, etc.
- Servers available
- bakbeest.sidn.nl, primary server and signer (rec)
- alpha.nlnetlabs.nl, secondary (norec)
- dnssec.nic-se.se, secondary (-)
Deployment
2/2
- Software
- BIND9 snapshot + some patches
- BIND9 still doesn't do the right thing
- recursion + dnssec problems
- 2535/DS specs followed
- spec not finished
- Limited use of the recursive server
- waiting for new snapshot of BIND9
- Currently 5 zones signed
- expect this to rise when email interface is finished (batch/automated requests)
Deployment
2/3
- Operation
- NL zone signed daily
- Zone size about 300 MB (unsigned: 40 MB)
- Hardware troubles
- Alpha 64 bit machine died Nov 6th 2002
- Moved to i386 w/ FreeBSD
- speed increase
Schedule for the coming year
3
- Documentation!
- writing BCP(s)
- SECREG documentation
- Experiment with
- NL key rollover
- NL key compromise
- NL key as split key?
- Child zone key compromise
- ?
Results thus far
4
- Created development enviroment
- 3/4 levels deep secure tree
- Awereness of DNSSEC
- Created Perl resolver
Questions and URLs
5
- Questions?
- resolver
- SECREG
Miek Gieben
miek@nlnetlabs.nl