2003 DNSSEC Workshop (Amsterdam)

Jan 21 – 23, 2002

About the Workshop

Attendees:

Jaap Akkerhuis
David Blacka
Joao Damas
Miek Gieben
Olaf Kolkman
Mark Kosters
Matt Larson
Ted Lindgreen
Juergen Pfleger
Sam Weiler (2nd and 3rd days)
Suzanne Woolf (2nd and 3rd days)

Overview:

This is a DNSSEC workshop, where folks get together and test various aspects of the DNSSEC specification to see if they work. This workshop will (at least initially) focus on the DNSSEC Opt-In specification.

Location:

The workshop takes place in the RIPE NCC training room from Tuesday 21st to Thursday 23rd. Unfortunately the training room is not available on Friday. We'll be starting Tuesday 9:30 and we expect people between 9:00 and 9:30. How to get to the RIPE NCC is described here (the training room is in the RIPE NCC offices).

Food:

The RIPE NCC will cater lunch; simple Dutch sandwiches. Reply to Olaf privately if you have special vegetarian or other wishes.

Network

We will be running the network on private address space. The 'testnet' will be available through copper and wave. The RIPE NCC 'guestnet', connected to the Internet, will also be available on wavelan. The SSIDs will be 'testnet' and 'guestnet' respectively. The IPs on the 'testnet' will need to be hand configured, the 'guestnet' runs DHCP.

The 'testnet' will be configured with a root server with a TLD 'ws' for the workshop machines themselves. There will be a web server and anonymous ftp server for exchanging files.

The testnet is configured to be 192.168.53/24.

Zone	Nameserver	Address
"."	ns1.ws.	192.168.53.10
ws.	ns2.ws.	192.168.53.11
in-addr.arpa.	ns3.ws	192.168.53.12
53.169.192.in-addr.arpa	ns3.ws	192.168.53.12

Addresses on the testnet have been preallocated:

Person	Hostname	IP Address
Olaf Kolkman	olaf.ws.	192.168.53.100
Daniel Massey	dan.ws.	192.168.53.101
Miek Gieben	miek.ws.	192.168.53.202
Jaap Akkerhuis	jaap.ws.	192.168.53.203
David Blacka	david.ws.	192.168.53.204
Matt Larson	matt.ws.	192.168.53.205
Mark Kosters	mark.ws.	192.168.53.206
Suzanne Woolf	suzanne.ws.	192.168.53.207
Joao Damas	joao.ws.	192.168.53.208
Ted Lindgreen	ted.ws	192.168.53.209
Sam Weiler	sam.ws.	192.168.53.210
Juergen Pfleger	juergen.ws.	192.168.53.211

If you are not on this list and are coming to the workshop, we can easily add you.

Agenda

Day 1 (Jan 21, 2003)

Chair: David Blacka

Goals:

Set up test environment
Test opt-in zone signing and resolution

Tasks:

Get everyone on the testnet network and configured correctly.
Set up the Opt-In test environment.
Run the Opt-In tests and record the results.
Develop agenda for day 2.

Day 2 (Jan 22, 2003)

Chair: TBD

Goals: TBD

Tasks: TBD

Day 3 (Jan 23, 2003)

Chair: TBD

Goals: TBD

Tasks: TBD

Tests

Opt-In Tests

The Test Environment

The plan is to have a three-level DNS heirarchy in order to test secure resolution through Opt-In zones.

Root

"." will be the existing testnet root nameserver. It will start out unsigned, later we will sign it.

TLD

Since one of the primary uses of Opt-In is for TLDs we will have two TLDs set up to do opt-in, each using different software. We will set up a normally secure TLD for comparison purposes.

"optin" will be an Opt-In TLD using the BIND 9 snapshot.

"test" will be an Opt-In TLD using the Verisign Opt-In proxy server,and a BIND 8 server.

"secure" will be a normally fully-secured zone.

SLD

We will have some standard SLDs that will exist under each TLD. This should allow us to test resolution through combinations of secure and opt-in zones.

optin.(optin,test,secure): will be an opt-in signed SLD.
secure.(optin,test,secure): will be a normally signed SLD.
insecure.(optin,test,secure): will be a unsigned SLD.

The Tests

Sign the opt-in TLDs and SLDs using Opt-In. This will test whatever opt-in capable zone signing software we have.
Exchange KEY/DS sets with the parents. We've tested this before, but it doesn't hurt to do it again.
Initially, the root will not be signed, so the resolvers will have to be configured with the trusted key from each TLD.

Test resolving secure and insecure delegations directly:

  dig @ns.test. a.secure.test. a +dnssec
  (AD bit should be 1)
  (repeat using the "optin" TLD)

  dig @ns.test. a.insecure.test. a +dnssec
  (AD bit should be 0)
  (repeat using the "optin" TLD)

Test to see if we can securely resolve through a secure delegation:

  dig a.secure.optin. a +dnssec
  dig a.secure.test. a +dnssec
  dig a.optin.optin. a +dnssec
  dig a.optin.test. a +dnssec

The AD bit should be 1 in this case.

Test to see if we can secure resolve through an insecure delegation:

  dig a.insecure.optin. a +dnssec
  dig a.insecure.test. a +dnssec
  dig ins.optin.optin. ns +dnssec

The AD bit should be 0.

Add a wildcard to the optin TLD, resign and test the wildcard behavior.

  dig a.notthere.optin a +dnssec
  dig @ns.optin. a.secure.optin. a +dnssec

Additional Tests

If we can, we should test some marginal cases. This will require a zone signer that will sign zones either incorrectly or oddly.

The situation where a insecure delegation name is included in the NXT chain using an Opt-In tagged NXT.
Various incorrect Opt-In situations: something other than NS records in the insecure span, incorrectly flagged NXT records, etc.

Task/Software Matrix

Zone	Assignee	Software	Address
"."	Workshop Machine (Olaf)		192.168.53.10
ws.	Workshop Machine (Olaf)		192.168.53.11
test.	David Blacka	Verisignlabs Opt-In Proxy	192.168.53.204
optin.		bind 9.3.?-snap
secure.		bind 9.3.?
optin.test.		bind 9.3.?-snap
secure.test.
insecure.test
optin.optin		bind 9.3.?-snap
secure.optin.
insecure.optin.
optin.secure.		bind 9.3.?-snap
secure.secure.
insecure.secure.
resolver 1
resolver 2