Hi all. There are two conferences coming up early next year that have a track on DNSSEC. Both NZNOG and APRICOT are looking to find people who have experience and would be happy to share their thoughts. My feeling is that actual use in .nz is small however I'd love to hear from you if there's something you've done with DNSSEC. Ideally we'd like people who are willing to talk in Manilla or Auckland but even just a few shared thoughts are appreciated. http://2009.nznog.org/ http://apricot2009.net/ BTW, registrations are open for both. Register now! :) Sam.
done a bit... ran a good sized testbed from 1998-2006, funded an NSEC3 implementation that became UNBOUND, designed and funded CADR, a registry/registrar system, operated a TLD that was DNSSEC-signed and have run production signed in-addr and ip6 zones for six years - even did some significant DNSSEC training for the APNIC staff and as workshops for Apricot for almost a decade. :) I'll be @ NZNOG... no current plans to hit Manila tho. --bill On Wed, Dec 10, 2008 at 12:19:07PM +1300, Sam Sargeant wrote:
Hi all. There are two conferences coming up early next year that have a track on DNSSEC. Both NZNOG and APRICOT are looking to find people who have experience and would be happy to share their thoughts.
My feeling is that actual use in .nz is small however I'd love to hear from you if there's something you've done with DNSSEC. Ideally we'd like people who are willing to talk in Manilla or Auckland but even just a few shared thoughts are appreciated.
BTW, registrations are open for both. Register now! :)
Sam.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Hi, On Wed, 2008-12-10 at 12:19 +1300, Sam Sargeant wrote:
My feeling is that actual use in .nz is small however I'd love to hear from you if there's something you've done with DNSSEC. Ideally we'd like people who are willing to talk in Manilla or Auckland but even just a few shared thoughts are appreciated.
I've played around a bit with DNSSEC. I even gave a talk on it at linux.conf.au in Melbourne at the start of this year. While I would have liked to have gone to NZNOG'09, unfortunately I have a schedule clash and can't make it next year. I also currently have no plans to attend APRICOT. I'd certainly be interested in following any discussions around DNSSEC in .nz. Cheers! -- Andrew Ruthven Wellington, New Zealand At home: andrew(a)etc.gen.nz | This space intentionally | left blank.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Howdy. so.. as per http://www.dnc.org.nz/content/geek_2nd_round_abley_et_al.pdf "2.1 Operational experience in integrating DNSSEC [1] as an extension to existing NZ SRS registry services. GEEK.NZ will function as a testbed, facilitating the roll-out of security extensions into other second-level domains promptly and with minimal risk as DNS security is rolled out into the production DNS root. " I'd say why not sign the geek.nz should probably be signed and results presented at NZNOG. thanks -gaurab Sam Sargeant wrote:
Hi all. There are two conferences coming up early next year that have a track on DNSSEC. Both NZNOG and APRICOT are looking to find people who have experience and would be happy to share their thoughts.
My feeling is that actual use in .nz is small however I'd love to hear from you if there's something you've done with DNSSEC. Ideally we'd like people who are willing to talk in Manilla or Auckland but even just a few shared thoughts are appreciated.
BTW, registrations are open for both. Register now! :)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklKxScACgkQSo7fU26F3X0igQCfY64RHYIHq9VlwR8mTTtGQrkV sJIAn3rKAi0Bjzf/AkhxAdpv60zQFgOG =+f6v -----END PGP SIGNATURE-----
Gaurab Raj Upadhaya wrote:
I'd say why not sign the geek.nz should probably be signed and results
presented at NZNOG.
Due to .nz policy requirements, a NSEC3 version of DNSSEC is required to sign the .nz zone. When a production version of BIND 9.6 (contains NSEC3) is released (early 2009?) a project to sign the .nz zones will commence. Dave Baker .nz Registry Services
On 2008-12-18, at 18:12, DNS wrote:
Gaurab Raj Upadhaya wrote:
I'd say why not sign the geek.nz should probably be signed and results
presented at NZNOG.
Due to .nz policy requirements, a NSEC3 version of DNSSEC is required to sign the .nz zone. When a production version of BIND 9.6 (contains NSEC3) is released (early 2009?) a project to sign the .nz zones will commence.
Note also that production-ready NSD code has been shipping with NSEC3 for some time, and it has some quite high-voume users. There was an interop event held between various vendors (including ISC and NLNetLabs) an IETF or two ago to iron out some problems between implementations of NSEC3 in authority-only servers and resolvers, and I hear good work was done. So the code readiness is something that is seeing active work, sufficient at least for people like PIR to put a lot of effort into developing a plan to sign ORG with NSEC3. However! What's missing from this picture is validator deployment. Signing all the TLDs in the world and the root won't help secure the DNS if no resolver ever asks for a secure answer. Deploying validators is something that operators could be working on right now, without waiting for TLDs or 2LDs to be signed. There are several TLDs that have been signed for some time, and guidance for how to configure a validator with a handful of manually-maintained trust anchors, or ISC's DLV registry, or both is not hard to find. Really, cutting your teeth on a validator with an unsigned NZ zone (when the worst that can happen is that some customers have trouble resolving names under, say, SE due to a validator configuration problem) sounds like a much better plan than trying to get a validator working nicely with a signed NZ, with all your customers shouting at you that they can't reach asb.co.nz. If people are really interested in seeing DNSSEC deployed in NZ then there is more work to do than simply waiting for NZRS, and plenty to be getting on with right away. Joe
participants (6)
-
Andrew Ruthven -
bmanning@vacation.karoshi.com -
DNS -
Gaurab Raj Upadhaya -
Joe Abley -
Sam Sargeant