Deploying DNSSec root in productive enviroments

-----BEGIN PGP SIGNED MESSAGE-----

I'm happy to announce a new DNSSec Root to play with.

What is going on
~~~~~~~~~~~~~~~~

This root is designed to be used in running productive systems.
That's why the amount of play and modifications is limited.

The root's content comes from http://www.internic.net/zones/ and is updates
each working day. In order to get the signed component of the root running,
some modifications are necessary:

- The SOA record is replaced in order to obtain a serial number
for signature updates and a consistent primary NS, which can
be used for zone transfers.

- The NS records are replaces by those providing signed data.

- Necessary glue is inserted.

- Some additional zones signed too, in order to create trusted paths
to already signed zones. in-addr.arpa is the most prominent one.

Some other zones are also signed and replaced in the same manner:
int, arpa, in-addr.arpa, and edu.

Alterantive TLD are included on request, in order to

- play with DNSSec without leaving the signed root enviroment.

- allow already existing alternative TLDs withing the signed enviroment.
Excluding them requires the operators to choose between signed and
there alternative enviroments.

- allow internationalization.

In the case of name clashes, the official ICANN domains are always the
relevant ones. All other conflicts should be decided by discussion.

How to use it
~~~~~~~~~~~~~

Modify your recursive name server (example for bind):

- - - - - - - - - - - - - named.conf- - - - - - - - - - - - - - - - - - -

logging {
channel dnssec_log {
file "/var/log/named.dnssec.log" versions 1 size 10m;
print-time yes;
print-category no;
print-severity yes;
// severity debug 3; // uncomment for debuggung
};

category dnssec { dnssec_log; };
};

options {
...
dnssec-enable yes;
dnssec-validation yes;
};

trusted-keys {
"." 257 3 5 "BQEAAAABu13HdYlS35tf+wtpDlwkfPhz9sCqYHMPUDXfNUt8ePPrBPQx
ZvZIx7tere9mX3u1tC8Ooxr5IMQa7D2yn2ZfomVk9rF+7Rtxtlu9LmNS
DcqCa7JwrJyhg3eDyQ/+2fOwb+XhVEsjoMFY09DglZSWHroKOieFw4X1
sZLvmmXczYv2yzd/uP5xIxxofh++vfQ4505oYlkymLehWXfT1lqqpszH
9d/A7GHGmgdS8uyXq5LJC+PPJjdndcas4DH/Ja24NrIvzzX8ZXNimO13
+YMnKQdDSxS3yQWztSVgcY2GwRLWM9fiCX+e351OnIhYE+FjhHdg6M71
6Jf8ZDGoBO5Qrn3HMejItFBekBo9Rf2ZYzukSbu06CfFBpX/HQuAOYfp
2/7D56cG8SRH2d0sF3KAygSwAs3XvDv/dXcKMMqKftw5nxvv50o9OOUH
gIR9kGVAax90oz1ZgtygQMMTHe2QuAaLwqso19Y2jb3qHIvyi+N94rwQ
DzUrnMR3RFbL8P4XF4yzrYIEXkx6U9X8myHYQxbHdZ3N4rBoBvjjACX1
Vpl7bdDnKC/bITW34xpmNRZl+3K80zx5r0t9O9Csdylgach0CCNsu1I9
ERHYk/rEdzvSOiwSDYpMB3MlgYARjjWfx8YfSp1QV4fwo3i6ZZ3yFtlY
Kcw23zD5Qe/YtLQ5H+8=";
};

zone "." {
type hint;
file "db.signed";
};

- - - - - - - - - - - - - db.signed- - - - - - - - - - - - - - - - - - - -
;
.. 72000 IN NS a.dnssec.thur.de.
.. 72000 IN NS a.dnssec-root.iks-jena.de.
.. 72000 IN NS b.dnssec-root.iks-jena.de.
;
a.dnssec.thur.de. 86400 IN AAAA 2001:4bd8:1::53
;
a.dnssec-root.iks-jena.de. 57035 IN AAAA 2001:4bd8::53
a.dnssec-root.iks-jena.de. 57035 IN A 217.17.192.202
;
b.dnssec-root.iks-jena.de. 57019 IN AAAA 2001:4bd8::1053
b.dnssec-root.iks-jena.de. 57019 IN A 217.17.192.203
;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Restart your name server daemon.

How to paticipate
~~~~~~~~~~~~~~~~~

We are looking for additionals secondaries!

In order to set up a secondary, install a name server on a system, which
does not yet provide name services (example for bind):

- - - - - - - - - - - - - named.conf- - - - - - - - - - - - - - - - - - -

options {
directory "/var/named";
allow-query { any; };
allow-transfer { none; };
allow-query-cache { none; };
notify no;
recursion no;
listen-on { xxx; }; // please fill
listen-on-v6 { xxx; }; // please fill
hostname "xxx."; // please fill
server-id "xxx"; // please fill
dnssec-enable yes;
};

// Zones to mirror, you are free to uncomment any of them.

zone "." {
type slave;
masters { 2001:4bd8:1::53; };
file "root.backup";
};

zone "arpa." {
type slave;
masters { 2001:4bd8:1::53; };
file "arpa.backup";
};

zone "edu." {
type slave;
masters { 2001:4bd8:1::53; };
file "edu.backup";
};

zone "in-addr.arpa." {
type slave;
masters { 2001:4bd8:1::53; };
file "inaddr.backup";
};

zone "int." {
type slave;
masters { 2001:4bd8:1::53; };
file "int.backup";
};


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If your system is up, running and ready for stable, long term service,
please drop me an email. I'll update the secondary table.

It's strongly recommended to use single, fresh IPs for the secondary to
announce. The address should be easy to migrate to a different system,
because it's very hard to change the hint file on third party systems.

Warning
~~~~~~~

On activation of dnssec-validation, all domains below com. and net. are lost.
The name servers of com. and net. does respond to DNSSec enabled queries for
DS records with FORMERR.


Have fun.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQCiAwUBRh+ua5FeTizbCJMJAQGEJwRnSMlGpv1WFQQaPSydlCN6xNT8n8jgxzaE
+8at1KfqwkhDMAH5+0DZ4Qv7AUe1o9DC6NR+LjemqqErsTPA9v95UJy5pCa9y61n
ocewohJYw+SkaJnD6AvGGyOr8Z05Xdqa2wZfldjuJLRqWzX97gLbPFATms9ZzKp/
0tYrcg2yJZkvnqqoCu/ME9aua4bq
=It/J
-----END PGP SIGNATURE-----
.