DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO - - PowerPoint PPT Presentation

dnssec in the reverse tree an arin prospective mark
SMART_READER_LITE
LIVE PREVIEW

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO - - PowerPoint PPT Presentation

Oct 18, 2022 489 likes •600 views

DNSSEC In the Reverse Tree An ARIN Prospective Mark Kosters, CTO ARIN Initiatve ARINs board asked ARIN Staff to implement DNSSEC Turned out to be easy Lots of prior work to learn from and emulate Followed their work plus

slide-1
SLIDE 1

DNSSEC In the Reverse Tree – An ARIN Prospective

Mark Kosters, CTO

slide-2
SLIDE 2

ARIN Initiatve

  • ARIN’s board asked ARIN Staff to

implement DNSSEC

  • Turned out to be easy
  • Lots of prior work to learn from and emulate
  • Followed their work plus fixed tweaks to

make it less operationally impactful

2

slide-3
SLIDE 3

Past Efforts

  • Many TLD’s have DNSSEC turned on –

.SE, .BR, .ORG, etc

  • Lots of prior work to learn from and emulate
  • RIPE Turned on DNSSEC back in Q4 of 2005 via

the DISI Project

– Great description of their keying policies – Useful tools

  • .SE project

– Again useful tools available – especially with key management

3

slide-4
SLIDE 4

ARIN’s Plan

  • Lots of prior work to learn from and emulate
  • Follow RIPE’s key procedures with some

modifications on timing

  • Survey key management tools

– Opendnssec – Secure64 – DISI Project (RIPE) – DNSSEC Zone Key Tool – others

4

slide-5
SLIDE 5

Principle of No Surprise

  • Documented the plan – took a lot from RIPE

– http://www.ripe.net/rs/reverse/dnssec/

  • Had a Consultation on arin-consult mailing list
  • Slow rollout

– https://www.arin.net/about_us/dnssec/

5

slide-6
SLIDE 6

Complications

Trust anchors

– Parents (root/arpa/in-adr.arpa) are not signed – Needs to be individually configured per recursive resolver – Available at:

  • https://www.arin.net/about_us/dnssec/trust_anchors.html

(secured via https)

  • ftp://ftp.arin.net/pub/zones/trust_anchors.txt
  • ftp:/ftp.arin.net/pub/zones/trusted_keys.txt

– OR –

Aggregated Trust anchor Service (DLV)

  • https://dlv.isc.org/

6

slide-7
SLIDE 7

Phase 1 DNSSEC Capability

  • Validate that VeriSign and ARIN servers

are conformant

  • Got a green light for NSEC but not NSEC3

7

slide-8
SLIDE 8

Phase 2 – Signing the Zones

  • Turned on afternoon of July 1, 2009
  • Both VeriSign and ARIN NOC Operations
  • n high alert
  • Saw increase of outbound traffic z.arin.net:

– Prior to DNSSEC, we were doing ~ 4.5 Mbps. – After DNSSEC, we jumped up to about 10.5 Mbps. – Currently 15–17 Mbps

8

slide-9
SLIDE 9

Obligatory Graph

One instance in load-balanced site

slide-10
SLIDE 10

Phase 3 – Serving Signed Child Zones

  • Backend Schema is currently Insufficient

– DNS records tied to Network Allocations – needs to be done per delegation – Large back-office effort 50% complete

  • Provisioning for this Service will be placed in ARIN

Online

– Consistent and higher security then existing templates – Integrated into a managed dns service

  • Expected to rollout in 2010

10