Who am I? DNSSEC and Registrars? Employed by Netnod Who am I? - - PowerPoint PPT Presentation

who am i
SMART_READER_LITE
LIVE PREVIEW

Who am I? DNSSEC and Registrars? Employed by Netnod Who am I? - - PowerPoint PPT Presentation

Jul 19, 2023 42 likes •196 views

Who am I? DNSSEC and Registrars? Employed by Netnod Who am I? Employed by Netnod IX, DNS, Root, NTP 50% owner of Frobbit! Registrar ccTLD DNS hosting etc SSAC Chair ICANN gTLD1 gTLD2 Registry Registry gTLD1 gTLD1

slide-1
SLIDE 1

Who am I?

  • Employed by Netnod

DNSSEC and Registrars?

slide-2
SLIDE 2

Who am I?

  • Employed by Netnod
  • IX, DNS, Root, NTP
  • 50% owner of Frobbit!
  • Registrar ccTLD
  • DNS hosting etc
  • SSAC Chair
slide-3
SLIDE 3

gTLD1 Registrar1 gTLD1 Registrant1 gTLD1 Registrant2 gTLD1 Registrar2 gTLD1 Registrant3 gTLD1 Registrant4 gTLD2 Registrar1 gTLD2 Registrant1 gTLD2 Registrant2 gTLD2 Registrar2 gTLD2 Registrant3 gTLD2 Registrant4 gTLD1 Registry gTLD2 Registry ICANN a.gtld1 b.gtld1 c.gtld1 d.gtld1 e.gtld2 f.gtld2 g.gtld2 h.gtld2

slide-4
SLIDE 4

a.gtld1 a.gtld2 a.gtld3 b.gtld1 b.gtld2 b.gtld3 c.gtld1 c.gtld2 c.gtld3 Registrant1 Registrant2 Registrar 1 Registrar 2 Registrar 3 Registrar 4 gTLD1 Registry gTLD2 Registry gTLD3 Registry ICANN

slide-5
SLIDE 5

a.tld1 a.tld2 a.tld3 Registrant1 Registrar 4 TLD1 Registry TLD2 Registry TLD3 Registry DNS Operator 1

slide-6
SLIDE 6

Perl Library Net::DRI version 0.96

  • Net::DRI::DRD - Superclass of all Net::DRI Registry Drivers
  • 48 different: ASIA, AT, AU, AdamsNames, BE, BIZ, BR, BZ, CAT,

CIRA, COOP, CZ, CoCCA, DENIC, EURid, GL, Gandi, HN, ICANN, IENUMAT, IM, INFO, IRegistry, IT, LC, LU, ME, MN, MOBI, NAME, NO, NU, Nominet, ORG, OVH, OpenSRS, PL, PRO, PT, SC, SE, SIDN, SWITCH, TRAVEL, US, VC, VNDS and WS

  • Net::DRI::Protocol::EPP::Extensions - Various extensions
  • 34 different: AERO, AFNIC, ARNES, ASIA, AT, AU, Afilias, BR, CAT,

CIRA, COOP, CZ, CentralNic, DNSBE, EurID, FCCN, GracePeriod, IENUMAT, IRegistry, IT, LU, MOBI, NAME, NO, NSgroup, NeuLevel, Nominet, PL, PRO, SE, SIDN, SWITCH, US and VeriSign

slide-7
SLIDE 7

Specifically for DNSSEC

5910 Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP).

  • J. Gould, S. Hollenbeck. May 2010. (Format: TXT=72490

bytes) (Obsoletes RFC4310) (Status: PROPOSED STANDARD)

slide-8
SLIDE 8
  • 4. DS Data Interface and Key Data Interface
  • This document describes operational scenarios in which a client can

create, add, and remove Delegation Signer (DS) information or key data information for a domain name. There are two different forms of interfaces that a server can support. The first is called the "DS Data Interface", where the client is responsible for the creation of the DS information and is required to pass DS information when performing adds and removes. The server is required to pass DS information for <domain:info> responses. The second is the "Key Data Interface," where the client is responsible for passing the key data information when performing adds and removes. The server is responsible for passing key data information for <domain:info> responses.

slide-9
SLIDE 9
  • 4. DS Data Interface and Key Data Interface
  • This document describes operational scenarios in which a client can

create, add, and remove Delegation Signer (DS) information or key data information for a domain name. There are two different forms of interfaces that a server can support. The first is called the "DS Data Interface", where the client is responsible for the creation of the DS information and is required to pass DS information when performing adds and removes. The server is required to pass DS information for <domain:info> responses. The second is the "Key Data Interface," where the client is responsible for passing the key data information when performing adds and removes. The server is responsible for passing key data information for <domain:info> responses.

slide-10
SLIDE 10

Why two?

  • Search for accepting DS vs DNSKEY and you find

discussions that have been going on for as long as we have been discussing DNSSEC, registry/ registrar model and epp.

  • We have not been able to converge...
slide-11
SLIDE 11

What’s up?

  • DNS operator passes DS or DNSKEY to registrar
  • Registrar passes DS or DNSKEY to registry
  • Registry places signed DS in their zone
slide-12
SLIDE 12

What’s problematic?

  • Some registries want DS, others DNSKEY
  • Changing DNS operator is difficult
  • Changing Registrar is difficult
  • Being DNS operator and not registrar is difficult
  • Synchronizing change of DNSSEC data in parent

and child zone is…almost impossible

slide-13
SLIDE 13

Solutions?

  • Out of band mechanism for bootstrap
  • If one have trust via DNSSEC, and data is

published, data can be fetched from the child zone

  • Data should be fetched by the registrar
  • Does still not solve the problem with different

registries having different policies

slide-14
SLIDE 14

draft-ietf-dnsop-delegation-trust-maintainance?

Abstract

  • This document describes a method to allow DNS
  • perators to more easily update DNSSEC Key

Signing Keys using DNS as communication

  • channel. This document does not address the

initial configuration of trust anchors for a domain. The technique described is aimed at delegations in which it is currently hard to move information from the child to parent.

slide-15
SLIDE 15

Patrik Fältström

Head of research and development
 Netnod Tel: +46-70-6059051
 SIP/XMPP/Email: paf@netnod.se