-
Notifications
You must be signed in to change notification settings - Fork 4
/
IETF114-Hackathon-dnssec-bootstrapping.html
151 lines (110 loc) · 4.07 KB
/
IETF114-Hackathon-dnssec-bootstrapping.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<!DOCTYPE html>
<html>
<head>
<title>IETF Hackathon - DNSSEC Bootstrapping </title>
<meta charset="utf-8">
<style>
@import url(https://fonts.googleapis.com/css?family=Yanone+Kaffeesatz);
@import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,700,400italic);
@import url(https://fonts.googleapis.com/css?family=Ubuntu+Mono:400,700,400italic);
div.left-column { width: 49%; float: left; }
div.right-column { width: 49%; float: right; }
div.right-column ~ p { clear: both; }
div.right-column ~ ul { clear: both; }
div.my-footer {
border-top: 1px solid #ccc;
font-size: 10pt;
text-align: center;
position: fixed;
bottom: 0px;
left: 0px;
height: 30px;
width: 100%;
}
div.my-footer p {
margin-top: 10px;
height: 30px;
}
body { font-family: 'Droid Serif'; }
h1, h2, h3 {
font-family: 'Yanone Kaffeesatz';
font-weight: normal;
}
.remark-code, .remark-inline-code { font-family: 'Ubuntu Mono'; }
</style>
</head>
<body>
<textarea id="source">
class: center, middle
# DNSSEC Bootstrapping
IETF 114 – Hackathon
23-24 July 2022
Philadelphia, Pennsylvania
---
# Hackathon Plan
- Draft: <a href="datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/">draft-ietf-dnsop-dnssec-bootstrapping</a>
- Requires co-publishing the target zone's CDS/CDNSKEY records at a subdomain of the nameserver's hostname
- <u>Example</u>: Bootstrapping <code>example.co.uk</code> via <code>ns1.desec.io</code> requires:
<blockquote>
<code><i>_dsboot</i>.<b>example.co.uk</b>.<i>_signal</i>.<b>ns1.desec.io</b>. IN <b>CDS</b> ...</code>
</blockquote>
No automation so far.
- <u>Hackathon plan</u>: Automatically generate these records, either via
- period cronjob, or
- dynamic synthesis (by nameserver when queried)
<How you planned to solve it?>
<div class="my-footer"><p>IETF Hackathon - DNSSEC Bootstrapping </p></div>
---
# What got done
- Agreement: Expose only minimal configuration to admin
- Tagging a zone as "bootstrapping zone" enables synthesis for all managed zones
- Code (deployed):
- deployed:
- saltant.net: cronjob (catalog zone → bootstrap zone) (<a href="https://gitlab.com/neirbowj/ietf114-hackathon-dnssec-bootstrap">Gitlab repo</a>)
- at deSEC: PowerDNS record synthesis (<a href="https://github.com/desec-io/desec-ns/pull/46">deSEC PR #46</a>)
- in the works:
- Knot DNS module
- Techniques:
- cronjob: Python script
- PowerDNS: LUA records
- Knot DNS: native C module
<div class="my-footer"><p>IETF Hackathon - DNSSEC Bootstrapping </p></div>
---
# What we learned
- Pretty straightforward, plan worked overall
- Learned some things about LUA – good to have an expert at the table :-)
- <u>Unexpected insight</u>: bootstrap zones also have 2 NS records<br />→ need to have them on two secondaries
- e.g. <code>_signal.ns1.desec.io</code> is hosted on ns1 <i>and</i> ns2
- Protocol seems workable in practice
<div class="my-footer"><p>IETF Hackathon - DNSSEC Bootstrapping </p></div>
---
# Video demo
<iframe src="https://player.vimeo.com/video/732999113" width="760" height="420" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe>
<div class="my-footer"><p>IETF Hackathon - DNSSEC Bootstrapping </p></div>
---
# Wrap up
---
.left-column[
#### Team members:
Cronjob:
- John O'Brien
PowerDNS synthesis:
- Jerry Lundström
- Nils Wisiol
Knot DNS synthesis:
- Peter Thomassen
]
.right-column[
#### First timers @ IETF/Hackathon:
- John O'Brien
- Nils Wisiol
]
<div class="my-footer"><p>IETF Hackathon - DNSSEC Bootstrapping </p></div>
</textarea>
<script src="https://remarkjs.com/downloads/remark-latest.min.js">
</script>
<script>
var slideshow = remark.create();
</script>
</body>
</html>