dnssec workshop - icann gnso...4. dnssec lessons learned: roland van rijswijk, surfnet 5. dnssec...

1

DNSSECWorkshop

Cartagena,Colombia

08December2010

Program Committee

•  MarkusTravaille,SIDN•  SimonMcCalla,Nominet

•  RussMundy,Cobham

•  SteveCrocker,Shinkuro,Inc.•  JulieHedlund,ICANN

Sponsors

•  PublicInterestRegistry

•  OpenDNSSEC•  .SE•  Afilias

•  GoDaddy•  Dyn,Inc.•  Comcast•  SIDN•  Nominet

Agenda

4

1.  CapsuleViewofDeployment:SteveCrocker,Co‐Chair,DNSSECDeploymentIniOaOve

2.  PanelDiscussion:DNSSECAdopOon‐‐BestPracOcesontheSOmulaOonoftheDeploymentofDNSSECinccTLDandgTLD’sModerator:MarkusTravaille,SIDN;Panelists:JamesBladel,GoDaddy;MaUMansell,MeshDigital/DomainMonster;PavelTuma,CZ.NIC;LanceWolak,PublicInterestRegistry;andChrisWright,AusRegistry

Agenda, Cont.

5

3.  IncidentsandResponses:RoyArends,NominetUK

4.  DNSSECLessonsLearned:RolandvanRijswijk,SURFnet

5.  DNSSECToolDevelopment:•  OpenSourceTools,RussMundy,

Co‐Chair,DNSSECDeploymentIniOaOve

•  DNSSECforHumans,JoãoDamas,InternetSystemsCorporaOon(ISC)

Agenda, Cont.

6

6.  PanelDiscussion:DNSSECImplementaOonApproaches‐‐ExperiencesandBestPracOcesontheVarietyofDNSSECDeploymentsAroundtheWorldModerator:SimonMcCalla,NominetUK;Panelists:OndrejFilip,CZNIC;MaULarson,VeriSign;RichardLamb,ICANN;RamMohan,Afilias;RickardBellgrim,InternetInfrastructureFoundaOon(.SE);JoãoDamas,InternetSystemsCorporaOon(ISC)

Agenda, Cont.

7

8.  ISPValidaOonandCapability:PreparingforandRollingOutDNSSEC:JasonLivingood,Comcast

9.  AcOviOesfromtheRegion:ErickIriarteAhon,LACTLD;RamMohan,Afilias;FredericoNeves,NIC.br

CapsuleViewofDeployment

ccTLDDNSSECDeploymentMar2010throughDec2011

SteveCrockerCo‐Chair,DNSSECDeployment

IniOaOve

8

ccTLD DNSSEC Adoption

0

10

20

30

40

50

60

Mar'10 Jun'10 Sep'10 Dec'10 Dec'11

Experimental

Announced

ParOal

Full

MeasurementofDNSSECUptake

SteveCrockerCo‐Chair,DNSSECDeployment

IniOaOve

Tracking DNSSEC Uptake •  TLDsaregeingsigned•  RegistrarsandRegistrants–sOllveryearly•  Resolversokware–reasonablygood•  Resolversinthefield–earlydays•  TeliainSweden,ComcastintheU.S.areleaders

•  ActualValidaOon–veryearlydays

Actual Validation •  AnumberresolversareautomaOcallyrequesOngsignedresponses.

•  Onlysomeoftheanswersareactuallyvalidated.

•  FromtheauthoritaOvenameserver’sperspecOve,isthereawaytotellwhichrequestsforsignedanswersarelikelytobeactuallyvalidated?

•  Yes.Lookattherequestsforthekeys.

Measuring Requests for Keys •  NeedregularmeasurementinplaceinmulOpleplaces.ThisisinprogressinmulOpleTLDs.

•  ShinkuroworkingwithPIR&Afiliasre.ORG.•  ThefollowingslidesshowfracOonoftotalqueriesandanswersthatareforkeys.•  MulOplelocaOons,acoupleofsamplesfromeach.•  Eachsampleis30to40minutes,tensofmillionsofqueries.

“Results”

•  DNSkeyqueriesareintherangeof1/100of1%orless.

•  SomevariaOonwithgeography.

•  MeasurablechangesoverOme.

•  Actualusageisobviouslyquitesmall,BUT

•  Thereisactualusageandit’smeasurable.

PanelDiscussionDNSSECAdopOon‐‐Best

PracOcesontheSOmulaOonoftheDeploymentofDNSSECin

ccTLDandgTLD’s

MarkusTravaille,SIDN,Moderator

23

Topics for Discussion

24

1.  DemandforDNSSECdomainsfromdomainowners•  Benefitsfordomainowners?•  Howtomarketthesebenefitsandcreateabusinesscase?

2.  VisibilityofDNSSECforinternetusers•  Howtoimprovethis?

•  Roleofsokwarevendors?

3.  BusinesscaseforDNSSECvalidaOon•  Toolstoreducecomplexity?

•  Howtoavoidunnecessarysupportcalls?

•  ValidaOonattheclientasasoluOon?

IncidentsandResponsesRoyArends,NominetUK

25

DNSSECLessonsLearnedRolandvanRijswijk,SURFnet

26

DNSSECToolDevelopment:

OpenSourceToolsRussMundy,Co‐Chair

DNSSECDeploymentIniOaOve

27

DNSSECToolDevelopment:

DNSSECforHumansJoãoDamas,ISC

28

29

PanelDiscussionDNSSECImplementaOon

Approaches‐‐ExperiencesandBestPracOcesontheVarietyof

DNSSECDeploymentsAroundtheWorld

SimonMcCalla,NominetUKModerator

Topics for Discussion

30

ThepanelistswilldebateanddiscussfourkeyquesOons,thevariousmeritsofeachapproach,andhowthesemightapplytodifferentsizedorganizaOonsandtheirposiOonintheDNSSEC‘chainoftrust’:1.  Whatisthehigh‐leveldesignofyourDNSSECimplementaOon

(tools&technologies)?

2.  HowdidyouimplementandintroduceDNSSECintoyourliveenvironment?

3.  WhatwerethechallengesyoufacedduringimplementaOon?

4.  Whatwerethelessonsyoulearnedfromtheexperience?

ISPValidaOonandCapability:

PreparingforandRollingOutDNSSEC

JasonLivingoodComcast

31

AcOviOesfromtheRegion

ErickIriarteAhon,LACTLDRamMohan,Afilias

FredericoNeves,NIC.br

32

ThankyouandquesOons

33