[115732] in North American Network Operators' Group
Re: ARIN and DNSSEC
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Tue Jul 7 21:41:23 2009
Date: Wed, 8 Jul 2009 01:38:05 +0000
From: bmanning@vacation.karoshi.com
To: Mark Andrews <marka@isc.org>
In-Reply-To: <200907080109.n6819nwv028701@drugs.dv.isc.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
>
> In message <20090707171251.GA2797@arin.net>, Mark Kosters writes:
> > On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
> > > Are there any high level operational details you could share?
> > >
> > > Specifically, are you using any commercial/OSS software to handle the
> > > (automated?) periodic key roll overs?
> >
> > We looked at Secure64's product but decided to follow the open source
> > route. We are using ISC's bind (9.6.1) for resolution service
> > on ARIN-hosted servers and I'm not sure what VerSign does on theirs
> > (they secondary the /8's as well) but it is modern enough to support
> > NSEC RR's. As far as the zone signing and key management is concerned, we
> > are using zkt (http://www.hznet.de/dns/zkt/) and are basically following
> > RIPE's model for zone signing.
> >
> > > Are you using bind? Do you have any experience or suggestions on what
> > > version to start with?
> >
> > Depends on what you want to do. For example, we are using plain
> > old NSEC which bind has supported for a while. If you want to support the
> > shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later.
> > There are other authoritative servers that support DNSSEC as well
> > - NSD comes to mind but I'm sure there are others as well.
> >
> > > Given that phase 3 is still a work in progress - do you anticipate
> > > giving ARIN members an automated/scripted way to submit their delegation
> > > records?
> >
> > ARIN Online is going to have a management interface to insert DS RR's.
> > It would be good to hear from you and others on what sorts of ways
> > you would want to interface with us on bulk data transfers/uploads
> > etc. We had a BOF related to this with SWIPS at the last ARIN meeting and
> > received a lot of good feedback with the conclusion that using a restful
> > service would be a useful transport for this type of data transfer.
> > We certainly need your feedback on future services and encourage you
> > and others to join an upcoming ARIN meeting so that we can get good
> > direction from you and others.
> >
> > Regards,
> > Mark
>
> DS (DNSKEY?) to parent is a general problem which needs to
> be solved for all delegations. It would be nice if this
> could be completely in-band child master to parent master
> so humans were completely out of the loop except to establish
> the initial DS RRset in the parent.
>
> Nanog however isn't the venue to discuss this. I would
> think IETF DNSEXT WG <namedroppers@ops.ietf.org> would be
> a reasonable place to hold the discussion.
>
> Mark
hey, thats what the CADR tool does. fully in-band maintainace
for the child/parent interactions. only needs manual re-keying
if a party loses control of the credential.
--bill
