Unblocking The Main Thread Solving ANRs and Frozen Frames
Internet2 DNSSEC Pilot
1. Internet2 DNSSEC Pilot
Shumon Huque
University of Pennsylvania
ESCC/Internet2 Joint Techs Workshop
Madison, Wisconsin, U.S.A., July 19th 2006
2. 2 Shumon Huque
Description of the Pilot
• Goal: Deploy DNSSEC and gain operational
experience
• Participants sign at least one of their zones
• Exchange keys (trust anchors) that will allow
them to mutually validate DNS data
• Setup security-aware resolvers
• With these trust anchors configured
3. 3 Shumon Huque
A little background ..
• Feb ‘06: DNSSEC Workshop held at
Albuquerque Joint Techs
• Mar ‘06: dnssec@internet2 mailing list
• Apr ‘06: Internet2 Spring Member meeting
• Advisory group formed and plans for a pilot project
formulated
• May ‘06: Pilot group began
• Bi-weekly conference calls and progress reports
4. 4 Shumon Huque
DNSSEC Deployment Efforts so far
• MAGPI GigaPoP
• All production zones (17 total)
• https://rosetta.upenn.edu/magpi/dnssec.html
• MERIT
• radb.net
• nanog.org
• NYSERNET - a test zone
• nyserlab.org
5. 5 Shumon Huque
Deployments in the pipeline ..
• University of Pennsylvania
• University of California - Berkeley
• University of California - Los Angeles
• Internet2
6. 6 Shumon Huque
Ongoing work & discussion
• To DLV or not? (and if so, which registry?)
• “DNSSEC Lookaside Validation”
• Deploy NSEC3 or not?
• Stub resolver support options
• Key exchange & maintenance policies
• Better protection of long term keys
• Secure delegations from parents
• .edu, .net, .org, .in-addr.arpa
7. 7 Shumon Huque
More participants welcome!
• Join mailing list and con calls
• Requirements?