1
DNSSECWorkshop
Cartagena,Colombia
08December2010
Program Committee
• MarkusTravaille,SIDN• SimonMcCalla,Nominet
• RussMundy,Cobham
• SteveCrocker,Shinkuro,Inc.• JulieHedlund,ICANN
Sponsors
• PublicInterestRegistry
• OpenDNSSEC• .SE• Afilias
• GoDaddy• Dyn,Inc.• Comcast• SIDN• Nominet
Agenda
4
1. CapsuleViewofDeployment:SteveCrocker,Co‐Chair,DNSSECDeploymentIniOaOve
2. PanelDiscussion:DNSSECAdopOon‐‐BestPracOcesontheSOmulaOonoftheDeploymentofDNSSECinccTLDandgTLD’sModerator:MarkusTravaille,SIDN;Panelists:JamesBladel,GoDaddy;MaUMansell,MeshDigital/DomainMonster;PavelTuma,CZ.NIC;LanceWolak,PublicInterestRegistry;andChrisWright,AusRegistry
Agenda, Cont.
5
3. IncidentsandResponses:RoyArends,NominetUK
4. DNSSECLessonsLearned:RolandvanRijswijk,SURFnet
5. DNSSECToolDevelopment:• OpenSourceTools,RussMundy,
Co‐Chair,DNSSECDeploymentIniOaOve
• DNSSECforHumans,JoãoDamas,InternetSystemsCorporaOon(ISC)
Agenda, Cont.
6
6. PanelDiscussion:DNSSECImplementaOonApproaches‐‐ExperiencesandBestPracOcesontheVarietyofDNSSECDeploymentsAroundtheWorldModerator:SimonMcCalla,NominetUK;Panelists:OndrejFilip,CZNIC;MaULarson,VeriSign;RichardLamb,ICANN;RamMohan,Afilias;RickardBellgrim,InternetInfrastructureFoundaOon(.SE);JoãoDamas,InternetSystemsCorporaOon(ISC)
Agenda, Cont.
7
8. ISPValidaOonandCapability:PreparingforandRollingOutDNSSEC:JasonLivingood,Comcast
9. AcOviOesfromtheRegion:ErickIriarteAhon,LACTLD;RamMohan,Afilias;FredericoNeves,NIC.br
CapsuleViewofDeployment
ccTLDDNSSECDeploymentMar2010throughDec2011
SteveCrockerCo‐Chair,DNSSECDeployment
IniOaOve
8
ccTLD DNSSEC Adoption
0
10
20
30
40
50
60
Mar'10 Jun'10 Sep'10 Dec'10 Dec'11
Experimental
Announced
ParOal
Full
MeasurementofDNSSECUptake
SteveCrockerCo‐Chair,DNSSECDeployment
IniOaOve
Tracking DNSSEC Uptake • TLDsaregeingsigned• RegistrarsandRegistrants–sOllveryearly• Resolversokware–reasonablygood• Resolversinthefield–earlydays• TeliainSweden,ComcastintheU.S.areleaders
• ActualValidaOon–veryearlydays
Actual Validation • AnumberresolversareautomaOcallyrequesOngsignedresponses.
• Onlysomeoftheanswersareactuallyvalidated.
• FromtheauthoritaOvenameserver’sperspecOve,isthereawaytotellwhichrequestsforsignedanswersarelikelytobeactuallyvalidated?
• Yes.Lookattherequestsforthekeys.
Measuring Requests for Keys • NeedregularmeasurementinplaceinmulOpleplaces.ThisisinprogressinmulOpleTLDs.
• ShinkuroworkingwithPIR&Afiliasre.ORG.• ThefollowingslidesshowfracOonoftotalqueriesandanswersthatareforkeys.• MulOplelocaOons,acoupleofsamplesfromeach.• Eachsampleis30to40minutes,tensofmillionsofqueries.
“Results”
• DNSkeyqueriesareintherangeof1/100of1%orless.
• SomevariaOonwithgeography.
• MeasurablechangesoverOme.
• Actualusageisobviouslyquitesmall,BUT
• Thereisactualusageandit’smeasurable.
PanelDiscussionDNSSECAdopOon‐‐Best
PracOcesontheSOmulaOonoftheDeploymentofDNSSECin
ccTLDandgTLD’s
MarkusTravaille,SIDN,Moderator
23
Topics for Discussion
24
1. DemandforDNSSECdomainsfromdomainowners• Benefitsfordomainowners?• Howtomarketthesebenefitsandcreateabusinesscase?
2. VisibilityofDNSSECforinternetusers• Howtoimprovethis?
• Roleofsokwarevendors?
3. BusinesscaseforDNSSECvalidaOon• Toolstoreducecomplexity?
• Howtoavoidunnecessarysupportcalls?
• ValidaOonattheclientasasoluOon?
IncidentsandResponsesRoyArends,NominetUK
25
DNSSECLessonsLearnedRolandvanRijswijk,SURFnet
26
DNSSECToolDevelopment:
OpenSourceToolsRussMundy,Co‐Chair
DNSSECDeploymentIniOaOve
27
DNSSECToolDevelopment:
DNSSECforHumansJoãoDamas,ISC
28
29
PanelDiscussionDNSSECImplementaOon
Approaches‐‐ExperiencesandBestPracOcesontheVarietyof
DNSSECDeploymentsAroundtheWorld
SimonMcCalla,NominetUKModerator
Topics for Discussion
30
ThepanelistswilldebateanddiscussfourkeyquesOons,thevariousmeritsofeachapproach,andhowthesemightapplytodifferentsizedorganizaOonsandtheirposiOonintheDNSSEC‘chainoftrust’:1. Whatisthehigh‐leveldesignofyourDNSSECimplementaOon
(tools&technologies)?
2. HowdidyouimplementandintroduceDNSSECintoyourliveenvironment?
3. WhatwerethechallengesyoufacedduringimplementaOon?
4. Whatwerethelessonsyoulearnedfromtheexperience?
ISPValidaOonandCapability:
PreparingforandRollingOutDNSSEC
JasonLivingoodComcast
31
AcOviOesfromtheRegion
ErickIriarteAhon,LACTLDRamMohan,Afilias
FredericoNeves,NIC.br
32
ThankyouandquesOons
33