experience – Findings – Lessons learned § EDUCAUSE registrar application functionality § Getting started with DNSSEC – Implementing your own testbed – Recruiting testers – Managing the process
– Exercise DNSSEC registration and resolution in a representative end-to-end test environment § Objectives – Demonstrate that all components function properly – Document where actual behavior differs from expected behavior – Obtain technical feedback from registrants – Inform future DNSSEC implementations in larger zones
Active Participants – 12 – VeriSign: operator of the .edu registry – EDUCAUSE: registrar for the .edu zone – Registrants: 10 volunteering domain name holders – 7 universities – 3 regional networks
servers with signed zones – Test servers and test zones okay – Some participants used signed production servers § Run “validating” resolvers – Configured to use testbed .edu servers as authoritative for .edu top level domain
to testbed § Add DS records of various algorithms and digests § Remove DS records § Add incorrect DS records § View DS record history report § Perform key rollover operations and DS updates § At each test stage, perform verification tests with appropriately configured validating resolver § Validate records of other participants
directly under .edu – 7 total second level domains – berkeley.edu, merit.edu, penn.edu, psc.edu, upenn.edu, internet2.edu, ucaid.edu § Signed zones further down – 58 more (as of Jan 2010) – 3rd level domains inside universities – Many are subdomains for computer science departments, or for DNS research projects. Data from SecSpider (http://secspider.cs.ucla.edu/)
General satisfaction from registrants – Minor functionality and display alterations suggested § Registrar to Registry application – Successfully exercised info, delete, and update EPP commands – Discovered a limitation in RFC 4310, which prompted a new RFC revision (draft-gould-rfc4310bis) – << Reference: http://tools.ietf.org/html/draft-gould-rfc4310bis-07 >>
identified; zones were updated correctly § Name Server resolution – Resolution worked correctly – Current version of BIND is needed for NSEC3 – << Versions to consider which are DNSSEC compatible are BIND 9.6.x >>
– Agreed that the test cases were representative of the functionality required for DNSSEC – Had a high confidence level about implementing DNSSEC § Most testers used BIND but other software packages worked too – 7 used BIND – 2 used ZKT – 1 used a DNSSEC signing appliance
strong technical understanding of the end- to-end DNSSEC process § Lack of documentation and best practices for DNSSEC implementations § Timing, managing, and automating key rollovers § Troubleshooting validation failures
the RFCs – RFC 4033 – DNSSEC introduction and requirements – RFC 4034 – Resource records for DNSSEC – RFC 4310 – DNSSEC mapping for EPP – Also see revision draft-gould-rfc4310bis – RFC 4641 – DNSSEC operational practices Reference : http://tools.ietf.org § Brush up on DNS
customer submitted data >> – Key Tag must be an integer between 1 and 65535 – Algorithm must be an integer – Digest Type must be an integer – SHA-1 Digests must be a sequence of 40 hexadecimal digits – SHA-256 Digests must be a sequence of 64 hexadecimal digits § Dig to compare the entered DS data against the public key in the domain’s zone
automatically § Allow multiple Digests to have the same Key Tag § Consider automatically generating DS records – Allow upload of BIND DSSET file or – Allow data entry of public key information
*you* understand the intricacies of DNSSEC § Evaluate the user interface of your registrar application § Make sure your <<registrant>> application WORKS § Get your registrants involved § Build confidence throughout the community
tests for testers to perform – Specify expected results of each test and ask testers to note where their results differed § Provide a way for testers to interact when they have questions § Provide a central location for tracking testing progress, noting inconsistencies, and making suggestions § Survey testers after testbed completion to gauge comfort with process and challenges faced
for .net and .com § Test the Registrar to Registry EPP interface – Leverage VeriSign’s EPP SDK & active EPP Tool – EPP SDK: http://www.verisign.com/domain-name-services/current-registrars/ epp-sdk/index.html – EPP Tool: https://epptool-ctld.verisign-grs.com/epptool/ § Test your signing and key management solution – Leverage VeriSign’s DNSSEC Tool Guide to evaluate signing solutions – Engage with VeriSign’s DNSSEC Forum to ask your questions and dialogue with technical colleagues – DNSSEC Forum: https://dnssecforum.verisign.com
shuque
fujiwara3
sansantech
aeonpeople
recruitengineers
toru_kubota
ham0215
maroon1st
manarobot
kaz1437
miyakemito
pauli
tomorrowkey
sonatard
malarkey
notwaldorf
keavy
ufuk
yeseniaperezcruz
lynnandtonic
aleyda
jakevdp
mthomps
bkeepers
shlominoach
![31 Thank You Questions? Contact Becky Granger at [email protected]](https://files.speakerdeck.com/presentations/7a9d05e44adb430fa2ed143f9206d5ef/slide_30.jpg){kind=link}