Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / - - PowerPoint PPT Presentation

▶

Apr 24, 2023 270 likes •363 views

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / OpenNetLabs Place of OpenDNSSEC DNSSEC adds a new dimension to DNS; Zone files do no longer sit statically in your nameserver; DNSSEC requires constant resigning, key management

SLIDE 1

What’s new with OpenDNSSEC

Berry van Halderen Nlnet Labs / OpenNetLabs

SLIDE 2

Place of OpenDNSSEC

DNSSEC adds a new dimension to DNS; Zone files do no longer sit statically in your nameserver; DNSSEC requires constant resigning, key management and SOA serial handling; OpenDNSSEC is deliberately not integrated in a name server but acts as a bumb in the wire by sitting in between nameservers; Signing zones, managing keys, roll-overs.

SLIDE 3

Non-technical change; transfer

Before OpenDNSSEC was in the hands the Swedish Internet Structure Foundation; Several partners involved, distributed development, co-operation and focus hard; NLnet Labs being one of them; Since over a year fully transferred to NLnet Labs to secure development and maintenance.

SLIDE 4

NLnet Labs

Small non-profit focus on DNS to make for an

pen internet.

IPv6, routing, research, standardization, spread the word of open, free and safe Internet Maintains suite open source DNS products:

NSD, Unbound, GetDNS, ldns

full subsidiary of NLnet Labs

SLIDE 5

Enforcer overhauled

Complete rewrite;

No more fixed roll-over scenarios;
Change method, parameters during roll-over;
TTLs, propagation delays modifiable during roll;
Roll to unsigned; Double RRSIG, Double DS roll-
ver, algorithm rollover;
Do emergency rollover while in roll-over

Any change permissible, not worry going bogus.

SLIDE 6

More changes

Unsigned pass-through;
Event driven instead of periodic task;
Shared Keys;

Multiple zones can use the same KSK / ZSK for signing (does not require combined roll-over).

Combined Keys;

ZSK and KSK being same key

Some CLI renamed and operations changes.

SLIDE 7

Incremental 2.1, 2.2,.. development

Location, Location, Location

The location of the user;

give better feedback to users, ease of use, specify less

Procedural Environment;

Faster/dynamic updates; be aware of actual changes of zone on internet

Operational Environment;

Monitoring, statistics, insight in next tasks, integrate with

ther programs in the DNS chain

SLIDE 8

Whats new with OpenDNSSEC Berry van Halderen Nlnet Labs / - - PowerPoint PPT Presentation

What’s new with OpenDNSSEC

Berry van Halderen Nlnet Labs / OpenNetLabs

Place of OpenDNSSEC

Non-technical change; transfer

Before OpenDNSSEC was in the hands the Swedish Internet Structure Foundation; Several partners involved, distributed development, co-operation and focus hard; NLnet Labs being one of them; Since over a year fully transferred to NLnet Labs to secure development and maintenance.

NLnet Labs

Small non-profit focus on DNS to make for an

IPv6, routing, research, standardization, spread the word of open, free and safe Internet Maintains suite open source DNS products:

full subsidiary of NLnet Labs

Enforcer overhauled

Complete rewrite;

Any change permissible, not worry going bogus.

More changes

Multiple zones can use the same KSK / ZSK for signing (does not require combined roll-over).

ZSK and KSK being same key

Incremental 2.1, 2.2,.. development

Location, Location, Location

give better feedback to users, ease of use, specify less

Faster/dynamic updates; be aware of actual changes of zone on internet

Monitoring, statistics, insight in next tasks, integrate with

Need your input

berry@nlnetlabs.nl