Archive

Posts Tagged ‘dnssec’

DNSSEC Root Signing by July 1st

Saturday, 10 Oct 09 irrashai Leave a comment

This is good news. DNSSEC-signed root is to be expected on July 1st, 2010.

When the presentation slide changed from page 24 to page 25, one of the important moments of the Internet history had now been announced to public and long-time waited, “The date for fully deployment of the
DNSSEC at Root Zone” was confirmed; July 1, 2010. The presentation also included a brief timeline of other important dates before the DNSSEC is fully deployed.

Source: http://blog.icann.org/2009/10/dnssec-signed-root-by-july-1-2010/

Categories: Technology, internet Tags: , ,

IPv6 in 30 Minutes

Thursday, 9 Jul 09 irrashai Leave a comment

If you were inspired to implement DNSSEC through the presentation “DNSSEC in 6 Minutes” by Alan Kegg (ISC), today I found the IPv6 version!

As I was running through the archives of the latest NANOG meeting, I chanced upon this catchy topic.  The title of the presentation Deploy a Production IPv6 Network in 30 Minutes or less (or it’s free) by Richard A Steenbergen looks very promising…

Forgive the premature post. I have to go watch the talk first (then maybe implement on a test environment) before I can really say anything. I’m hoping it can convince more people to migrate to IPv6 soon. :)

Read more…

Categories: internet Tags: , , ,

.ORG is signed

Thursday, 9 Jul 09 irrashai Leave a comment

dotorgAs of 2009-06-02, at 16:00 UTC, .ORG is DNSSEC-signed. I received this news from a mailing list last week.

Public Interest Registry has announced [link here] the key-signing key (KSK) below to validate signatures on the .ORG zone:

org.			IN DNSKEY 257 3 7 (
				AwEAAYpYfj3aaRzzkxWQqMdl7YExY81NdYSv+qayuZDo
				dnZ9IMh0bwMcYaVUdzNAbVeJ8gd6jq1sR3VvP/SR36mm
				GssbV4Udl5ORDtqiZP2TDNDHxEnKKTX+jWfytZeT7d3A
				bSzBKC0v7uZrM6M2eoJnl6id66rEUmQC2p9DrrDg9F6t
				XC9CD/zC7/y+BNNpiOdnM5DXk7HhZm7ra9E7ltL13h2m
				x7kEgU8e6npJlCoXjraIBgUDthYs48W/sdTDLu7N59rj
				CG+bpil+c8oZ9f7NR3qmSTpTP1m86RqUQnVErifrH8Kj
				DqL+3wzUdF5ACkYwt1XhPVPU+wSIlzbaAQN49PU=
				) ; key id = 21366

It uses NSEC3, which is only fully-supported in Bind 9.6.1 and up.

Read more…

Categories: internet Tags: , , ,

How-To: DNSSEC with DLV (with some notes)

Tuesday, 7 Apr 09 irrashai Leave a comment

I sometimes wonder how come I’ve never done any DNS-related How-To. I write them mainly to remind myself anyway, not for other people (but it’s a plus if someone gets something from it)… Maybe that’s it, I don’t need reminder for something I do so often.

At least DNSSEC is something that’s not-so new – I haven’t implemented them in authoritative nameservers before, just for resolvers and caching nameservers. So here’s a guide, mostly taken from ISC DLV with some sidenote  I inserted while working on my implementation.

Steps:

1. Enable DNSSEC on authoritative/recursive servers
2. Generate ZSK and KSK
3. Include keys into zonefile
4. Sign the zone
5. Point named.conf at the signed zone.
6. Reload zone.
7. Provide parent zone with DS records -OR-
8. Provide DLV registry with DLV record

****IN DETAIL****

Read more…

Categories: How-To Tags: , , ,