In message <20090708013805.ga1...@vacation.karoshi.com.>, bmann...@vacation.kar oshi.com writes: > On Wed, Jul 08, 2009 at 11:09:49AM +1000, Mark Andrews wrote: > > > > In message <20090707171251.ga2...@arin.net>, Mark Kosters writes: > > > On Mon, Jul 06, 2009 at 10:35:56AM -0400, Dan White wrote: > > > > Are there any high level operational details you could share? > > > > > > > > Specifically, are you using any commercial/OSS software to handle the > > > > (automated?) periodic key roll overs? > > > > > > We looked at Secure64's product but decided to follow the open source > > > route. We are using ISC's bind (9.6.1) for resolution service > > > on ARIN-hosted servers and I'm not sure what VerSign does on theirs > > > (they secondary the /8's as well) but it is modern enough to support > > > NSEC RR's. As far as the zone signing and key management is concerned, we > > > > are using zkt (http://www.hznet.de/dns/zkt/) and are basically following > > > RIPE's model for zone signing. > > > > > > > Are you using bind? Do you have any experience or suggestions on what > > > > version to start with? > > > > > > Depends on what you want to do. For example, we are using plain > > > old NSEC which bind has supported for a while. If you want to support the > > > > shiny new NSEC3 that .org emits, you need to have Bind 9.6.1 or later. > > > There are other authoritative servers that support DNSSEC as well > > > - NSD comes to mind but I'm sure there are others as well. > > > > > > > Given that phase 3 is still a work in progress - do you anticipate > > > > giving ARIN members an automated/scripted way to submit their delegatio > n > > > > records? > > > > > > ARIN Online is going to have a management interface to insert DS RR's. > > > It would be good to hear from you and others on what sorts of ways > > > you would want to interface with us on bulk data transfers/uploads > > > etc. We had a BOF related to this with SWIPS at the last ARIN meeting and > > > > received a lot of good feedback with the conclusion that using a restful > > > service would be a useful transport for this type of data transfer. > > > We certainly need your feedback on future services and encourage you > > > and others to join an upcoming ARIN meeting so that we can get good > > > direction from you and others. > > > > > > Regards, > > > Mark > > > > DS (DNSKEY?) to parent is a general problem which needs to > > be solved for all delegations. It would be nice if this > > could be completely in-band child master to parent master > > so humans were completely out of the loop except to establish > > the initial DS RRset in the parent. > > > > Nanog however isn't the venue to discuss this. I would > > think IETF DNSEXT WG <namedropp...@ops.ietf.org> would be > > a reasonable place to hold the discussion. > > > > Mark > > hey, thats what the CADR tool does. fully in-band maintainace > for the child/parent interactions. only needs manual re-keying > if a party loses control of the credential.
It would be nice if http://www.rs.net/cadr/ wan't a blank page. Mark > --bill -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org