2006.06.07 NANOG-NOTES DNSSEC bootstrapping with DLV

(last notes from NANOG37, yay! I definitely fell further behind
this time around than in Dallas. Unfortunately, I don't think
I'll be allowed to go to St. Louis, so I probably won't be
able to provide notes for NANOG38. --Matt)

2006.06.07 Deploying DNSSEC--bootstrap yourself
Joao Damas, ISC
[notes are at

DNSSEC status
standard is complete and usable
some minor nits with regards to some privacy issues
2 implementations: NSD, BIND
at least one DNSSEC aware resolver (BIND 9.3.2 and later)

Really, you just need some data.

DNSSEC follows a hierarchical model for signatures.
sign the root zone
get root zone to delegation sign TLDs
get TLDs to delegation-sign SLDs,

Today, the root zone remains unsigned
  likely will be this way for some time
Very few TLDs have signed their zones and offer
delegation signatures
.se, .ru, .org

DNSSEC provides for local trust anchors
you can use trust-anchors clause in BIND
problem: if you have too many, it becomes a nightmare
to maintain, so it doesn't get used.
very manual process

Enter DLV, domain lookaside validation
it's an implementation feature, not a change to the
  protocol; matter of local policy
enables access to a remote, signed repository of
  trust anchors, via the DNS
implemented in BINDs resolver so far
  more to follow?

unfortunately, requires you to trust remote

DLV lookup
a DLV enabled resolver will try to find a secure
entry point using regular DNSSEC; only if it fails
is DLV used, if it is configured.

[picture of DLV lookup chain]

On resolver (BIND)
add to named.conf
  in the options section
  //DNSSEC conifg
  dnnssec-enable yes
  dnssec-lookaside . trust-anchor dlv.isc.org.;
get the key from ISC's web: http://www.isc.org/ops/dlv

ISC is operating a DLV registry free of charge for anone
who wants to secure their DNS
Likely some closed orgs will use their own (eg mil)
have a look, start using it!

Any questions?

Q: Mark Kosters, Verisign: Any plans to configure DLV
registries per TLD?
Q: Would be good to allow it to be configured per TLD.

Q: Randy Bush, IIJ: some feeling or understanding how
IANA, root would validate keys/zones it has keys for;
don't understand how ISC proposes to validate keys
it would be storing. He suggests they publish the
security policy.
registrar. Otherwise, it's like PGP; show me your
face, show me your key.

Q: Paul vixie, ISC, following up on Mark Kosters;
you can only have one DLV for any point in the
namespace; you can specify a different one for a
TLD than root; that allows a TLD DLV to be paranoid,
like .mil. who doesn't want to trust anyone else
with key information.
If every TLD wanted to do that, they would find
high levels of cut-and-paste fatigue, so ISC will
operate a root level DLV server as well.

Q: Rick Wesson, runs Alice's Registry, a small registrar.
he's considering doing this, he can help DNS holders
register their keys if people are interested, and
will help get them into the DLV tree.

Q: Sam Wiler?, Sparta: concerns from Randy about how
ISC will authenticate the entries. Registrars should
consider running their own DLV servers, as they have
the relationship with the domain holder.

Code? Apparently you don't need code...

NANOG 37, ending slides.

425 attendees, 118 first timers
lots of countries
most USA, 11 canada, scattered others.
ISP, then NSP, then other categories.

top 3 companies represented: Cisco, Juniper, Equinix

HUGE thanks to Rodney Joffe and Neustar for
puling off a miracle to make this happen at the
last minute!

Thanks to sponsors, bear, gear, other.

Susan R Harris, many thanks to her for all
the work she has put in over the years and
to make this happen!

Also huge thanks to all the other people
at Merit

And we'll see you in St. Luis, Oct 8-10th,
joint meeting with ARIN, things set in stone.

Network will go down in 30 minutes or so--pack
up and go home! :slight_smile:

I think that was the fastest closing I've seen at
a NANOG yet. ^_^;;