ARIN and DNSSEC

Tue Jul 7 17:12:52 UTC 2009

On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
> Are there any high level operational details you could share?
> 
> Specifically, are you using any commercial/OSS software to handle the 
> (automated?) periodic key roll overs?

We looked at Secure64's product but decided to follow the open source
route. We are using ISC's bind (9.6.1) for resolution service 
on ARIN-hosted servers and I'm not sure what VerSign does on theirs
(they secondary the /8's as well) but it is modern enough to support
NSEC RR's. As far as the zone signing and key management is concerned, we 
are using zkt (http://www.hznet.de/dns/zkt/) and are basically following 
RIPE's model for zone signing.

> Are you using bind? Do you have any experience or suggestions on what 
> version to start with?

Depends on what you want to do. For example, we are using plain
old NSEC which bind has supported for a while. If you want to support the 
shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later.
There are other authoritative servers that support DNSSEC as well
- NSD comes to mind but I'm sure there are others as well.

> Given that phase 3 is still a work in progress - do you anticipate 
> giving ARIN members an automated/scripted way to submit their delegation 
> records?

ARIN Online is going to have a management interface to insert DS RR's.
It would be good to hear from you and others on what sorts of ways
you would want to interface with us on bulk data transfers/uploads
etc. We had a BOF related to this with SWIPS at the last ARIN meeting and 
received a lot of good feedback with the conclusion that using a restful 
service would be a useful transport for this type of data transfer. 
We certainly need your feedback on future services and encourage you
and others to join an upcoming ARIN meeting so that we can get good 
direction from you and others.

Regards,
Mark