presentation-sidn-dnssec-21oct15
Transcription
presentation-sidn-dnssec-21oct15
Klik om de s+jl te bewerken Klik om de models+jlen te bewerken § Tweede niveau § Derde niveau § Vierde niveau Vijfde niveau S@mula@ng DNSSEC Valida@on at .nl DNSSEC Workshop @ ICANN54 Oct 21, 2015 Marco Davids, Jelte Jansen, Maarten Wullink, Cris@an Hesselman Wie zijn wij? | Mijlpalen | Organisa@e | Het huidige internet | Missie -‐ Visie | Diensten | 1 Referen@es | SamenvaJng SIDN • SIDN = registry for the Netherlands (.nl) • SIDN Labs = R&D team SIDN • 5.5M domain names, 1.500 registrars • Largest DNSSEC zone in the world (2.4M signed) • RSP for .amsterdam (capital) and .aw (Aruba) • Main DNSSEC challenge: valida@on #1: DNSSEC Resolver Service • DNSSEC valida@on by .nl registry • ISPs don’t, so we decided to do it ourselves • Also get more experience in opera@ng resolvers • Two resolver machines running UNBOUND • Pilot with a high school (1.000 students) • Opted for a white-‐listed service (unlike Google, Verisign) #2: DNSSEC Valida@on Device (“ValiBox”) #3: DNSSEC Valida@on Monitor “XXL” error at a registrar User Access Provider 0.90%$ Percentage)DNSSEC)valida3efouten) 0.80%$ Resolver 0.70%$ 0.60%$ 3+ level labels (and valida@on errors) .nl Registry Valida@ng Resolver 24 hours Valida3e Monitor XXL 0.40%$ 0.30%$ .nl zone file 0.20%$ 0.10%$ Email 0.00%$ 20 13 /0 20 4/2 13 0 /0 $ 20 5/2 0 13 /0 $ 20 6/2 13 0 /0 $ 20 7/2 0 13 /0 $ 20 8/2 0 13 /0 $ 20 9/2 13 0 /1 $ 20 0/2 0 13 /1 $ 20 1/2 13 0 /1 $ 20 2/2 0 14 /0 $ 20 1/2 0$ 14 / 20 02/ 14 20 /0 $ 20 3/2 0 14 /0 $ 20 4/2 14 0 /0 $ 20 5/2 0 14 /0 $ 20 6/2 14 0 /0 $ 20 7/2 0 14 /0 $ 20 8/2 0 14 /0 $ 20 9/2 14 0 /1 $ 20 0/2 0 14 /1 $ 20 1/2 14 0 /1 $ 20 2/2 0 15 /0 $ 20 1/2 0$ 15 / 20 02/ 15 20 /0 $ 20 3/2 0 15 /0 $ 20 4/2 15 0 /0 $ 20 5/2 0 15 /0 $ 6/ 20 $ Registrar/DNS operator Repair Name Server 0.50%$ Network Engineer Average Jun 15-‐Jul 15: Number: 6.080 Percentage: 0.25% XXL-‐version live Apr 4, 2015 #4: Registrar Score Card Registries Take the Lead! • ISPs won’t, at least in the Netherlands • Take a mul@-‐track approach • Offer valida@on func@onality • Help further reducing valida@on errors • Go horizontal (thru ISPs) as well as ver@cal (industry-‐specific) • Help others • Sponsor sooware development (such as UNBOUND, PowerDNS) • Sponsor large-‐scale valida@on pilots, for instance at universi@es • Enable policy development, for instance at government agencies • Promote use (internet.nl, stats.sidnlabs.nl, dnssec.nl) Ques@ons and Feedback www.sidnlabs.nl Cris@an Hesselman Manager SIDN Labs [email protected]@sidn.nl +31 6 25 07 87 33 @hesselma
Similar documents
2 ns1.nic.ve 2001:1338::3 ns2.nic.ve 2001:1418:10:2
2a02:120:0:1::53 dnscache2.unet.nl 2a02:150:7:213:183:56:33:1 2a02:16d8:0:1::2 ns.telia.lv 2a02:16d8:0:1::3 dns.telia.lv 2a02:200:1:11::100 zrh1-ns01.monzoon.net 2a02:200:1:12::100 riv1-ns01.monzoo...
More information