Re: ARIN and DNSSEC

[Mark Andrews <marka () isc org>]

In message <20090708013805.GA1838 () vacation karoshi com.>, bmanning () vacation kar
oshi.com writes:
> On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote:
> > In message <20090707171251.GA2797 () arin net>, Mark Kosters writes:
> > > On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote:
> > > > Are there any high level operational details you could share?
> > > >
> > > > Specifically, are you using any commercial/OSS software to handle the 
> > > > (automated?) periodic key roll overs?
> > >
> > > We looked at Secure64's product but decided to follow the open source
> > > route. We are using ISC's bind (9.6.1) for resolution service 
> > > on ARIN-hosted servers and I'm not sure what VerSign does on theirs
> > > (they secondary the /8's as well) but it is modern enough to support
> > > NSEC RR's. As far as the zone signing and key management is concerned, we
>  
> > > are using zkt (http://www.hznet.de/dns/zkt/) and are basically following 
> > > RIPE's model for zone signing.
> > >
> > > > Are you using bind? Do you have any experience or suggestions on what 
> > > > version to start with?
> > >
> > > Depends on what you want to do. For example, we are using plain
> > > old NSEC which bind has supported for a while. If you want to support the
>  
> > > shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later.
> > > There are other authoritative servers that support DNSSEC as well
> > > - NSD comes to mind but I'm sure there are others as well.
> > >
> > > > Given that phase 3 is still a work in progress - do you anticipate 
> > > > giving ARIN members an automated/scripted way to submit their delegatio
> n 
> > > > records?
> > >
> > > ARIN Online is going to have a management interface to insert DS RR's.
> > > It would be good to hear from you and others on what sorts of ways
> > > you would want to interface with us on bulk data transfers/uploads
> > > etc. We had a BOF related to this with SWIPS at the last ARIN meeting and
>  
> > > received a lot of good feedback with the conclusion that using a restful 
> > > service would be a useful transport for this type of data transfer. 
> > > We certainly need your feedback on future services and encourage you
> > > and others to join an upcoming ARIN meeting so that we can get good 
> > > direction from you and others.
> > >
> > > Regards,
> > > Mark
> >
> >     DS (DNSKEY?) to parent is a general problem which needs to
> >     be solved for all delegations.  It would be nice if this
> >     could be completely in-band child master to parent master
> >     so humans were completely out of the loop except to establish
> >     the initial DS RRset in the parent.
> >
> >     Nanog however isn't the venue to discuss this.  I would
> >     think IETF DNSEXT WG <namedroppers () ops ietf org> would be
> >     a reasonable place to hold the discussion.
> >
> >     Mark
>
>       hey, thats what the CADR tool does.  fully in-band maintainace 
>       for the child/parent interactions.  only needs manual re-keying
>       if a party loses control of the credential.

        It would be nice if http://www.rs.net/cadr/ wan't a blank page.

        Mark
 
> --bill
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org