ARIN and DNSSEC
Mark Andrews
marka at isc.org
Wed Jul 8 01:58:17 UTC 2009
In message <20090708013805.GA1838 at vacation.karoshi.com.>, bmanning at vacation.kar
oshi.com writes:
> On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
> >
> > In message <20090707171251.GA2797 at arin.net>, Mark Kosters writes:
> > > On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
> > > > Are there any high level operational details you could share?
> > > >
> > > > Specifically, are you using any commercial/OSS software to handle the
> > > > (automated?) periodic key roll overs?
> > >
> > > We looked at Secure64's product but decided to follow the open source
> > > route. We are using ISC's bind (9.6.1) for resolution service
> > > on ARIN-hosted servers and I'm not sure what VerSign does on theirs
> > > (they secondary the /8's as well) but it is modern enough to support
> > > NSEC RR's. As far as the zone signing and key management is concerned, we
>
> > > are using zkt (http://www.hznet.de/dns/zkt/) and are basically following
> > > RIPE's model for zone signing.
> > >
> > > > Are you using bind? Do you have any experience or suggestions on what
> > > > version to start with?
> > >
> > > Depends on what you want to do. For example, we are using plain
> > > old NSEC which bind has supported for a while. If you want to support the
>
> > > shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later.
> > > There are other authoritative servers that support DNSSEC as well
> > > - NSD comes to mind but I'm sure there are others as well.
> > >
> > > > Given that phase 3 is still a work in progress - do you anticipate
> > > > giving ARIN members an automated/scripted way to submit their delegatio
> n
> > > > records?
> > >
> > > ARIN Online is going to have a management interface to insert DS RR's.
> > > It would be good to hear from you and others on what sorts of ways
> > > you would want to interface with us on bulk data transfers/uploads
> > > etc. We had a BOF related to this with SWIPS at the last ARIN meeting and
>
> > > received a lot of good feedback with the conclusion that using a restful
> > > service would be a useful transport for this type of data transfer.
> > > We certainly need your feedback on future services and encourage you
> > > and others to join an upcoming ARIN meeting so that we can get good
> > > direction from you and others.
> > >
> > > Regards,
> > > Mark
> >
> > DS (DNSKEY?) to parent is a general problem which needs to
> > be solved for all delegations. It would be nice if this
> > could be completely in-band child master to parent master
> > so humans were completely out of the loop except to establish
> > the initial DS RRset in the parent.
> >
> > Nanog however isn't the venue to discuss this. I would
> > think IETF DNSEXT WG <namedroppers at ops.ietf.org> would be
> > a reasonable place to hold the discussion.
> >
> > Mark
>
> hey, thats what the CADR tool does. fully in-band maintainace
> for the child/parent interactions. only needs manual re-keying
> if a party loses control of the credential.
It would be nice if http://www.rs.net/cadr/ wan't a blank page.
Mark
> --bill
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list