presentation-sidn-dnssec-21oct15

Klik om de s+jl te bewerken
Klik om de models+jlen te bewerken
§  Tweede niveau
§  Derde niveau
§  Vierde niveau
Vijfde niveau
S@mula@ng DNSSEC Valida@on at .nl DNSSEC Workshop @ ICANN54 Oct 21, 2015 Marco Davids, Jelte Jansen, Maarten Wullink, Cris@an Hesselman Wie zijn wij? | Mijlpalen | Organisa@e | Het huidige internet | Missie -­‐ Visie | Diensten | 1 Referen@es | SamenvaJng SIDN •  SIDN = registry for the Netherlands (.nl) •  SIDN Labs = R&D team SIDN •  5.5M domain names, 1.500 registrars •  Largest DNSSEC zone in the world (2.4M signed) •  RSP for .amsterdam (capital) and .aw (Aruba) •  Main DNSSEC challenge: valida@on #1: DNSSEC Resolver Service •  DNSSEC valida@on by .nl registry •  ISPs don’t, so we decided to do it ourselves •  Also get more experience in opera@ng resolvers •  Two resolver machines running UNBOUND •  Pilot with a high school (1.000 students) •  Opted for a white-­‐listed service (unlike Google, Verisign) #2: DNSSEC Valida@on Device (“ValiBox”) #3: DNSSEC Valida@on Monitor “XXL” error at a registrar User Access Provider ’ 0.90%$
Percentage)DNSSEC)valida3efouten)
0.80%$
Resolver 0.70%$
0.60%$
3+ level labels (and Œ valida@on errors) .nl Registry Ž Valida@ng Resolver  24 hours Valida3e Monitor XXL 0.40%$
0.30%$
 .nl zone file 0.20%$
0.10%$
 Email 0.00%$
20
13
/0
20 4/2
13
0
/0 $
20 5/2
0
13
/0 $
20 6/2
13
0
/0 $
20 7/2
0
13
/0 $
20 8/2
0
13
/0 $
20 9/2
13
0
/1 $
20 0/2
0
13
/1 $
20 1/2
13
0
/1 $
20 2/2
0
14
/0 $
20 1/2
0$
14
/
20 02/
14 20
/0 $
20 3/2
0
14
/0 $
20 4/2
14
0
/0 $
20 5/2
0
14
/0 $
20 6/2
14
0
/0 $
20 7/2
0
14
/0 $
20 8/2
0
14
/0 $
20 9/2
14
0
/1 $
20 0/2
0
14
/1 $
20 1/2
14
0
/1 $
20 2/2
0
15
/0 $
20 1/2
0$
15
/
20 02/
15 20
/0 $
20 3/2
0
15
/0 $
20 4/2
15
0
/0 $
20 5/2
0
15
/0 $
6/
20
$
Registrar/DNS operator Repair ‘ Name Server 0.50%$
Network Engineer Average Jun 15-­‐Jul 15: Number: 6.080 Percentage: 0.25% XXL-­‐version live Apr 4, 2015 #4: Registrar Score Card Registries Take the Lead! •  ISPs won’t, at least in the Netherlands •  Take a mul@-­‐track approach •  Offer valida@on func@onality •  Help further reducing valida@on errors •  Go horizontal (thru ISPs) as well as ver@cal (industry-­‐specific) •  Help others •  Sponsor sooware development (such as UNBOUND, PowerDNS) •  Sponsor large-­‐scale valida@on pilots, for instance at universi@es •  Enable policy development, for instance at government agencies •  Promote use (internet.nl, stats.sidnlabs.nl, dnssec.nl) Ques@ons and Feedback www.sidnlabs.nl Cris@an Hesselman Manager SIDN Labs cris@an.hesselman@sidn.nl +31 6 25 07 87 33 @hesselma