June 2nd 2010, TNC2010, Vilnius

1. OpenDNSSECDeveloping a free open source DNSSEC signerRoland van Rijswijkroland.vanrijswijk [at] surfnet.nl June 2nd 2010, TNC2010, Vilnius

2. Overview • What is OpenDNSSEC? • Why is OpenDNSSEC important? • Who contributes to OpenDNSSEC? • SURFnet’s contribution to OpenDNSSEC • What we have learned • Our plans for the future SURFnet. We make innovation work

3. DNSSEC?! • I’m not going to tell you what DNSSEC is :-) • For more information on that, please come to the DNSSEC event • Thursday June 3rd (tomorrow)12:30h - 17:30h (includes lunch)In the “Zeta” room • Please register via http://tnc2010.dnssec.nu SURFnet. We make innovation work

4. What is OpenDNSSEC? • The intention of OpenDNSSEC is to be“an open source turn-key solution for DNSSEC” • To put it differently:Push-the-button DNSSEC • It should enable peoplewith a working know-ledge of DNS to administer a DNSSEC signed zone SURFnet. We make innovation work

5. Why OpenDNSSEC is important • DNSSEC is complex -- way too complex to do by hand • No open source tools which could automate the complete DNSSEC workflow • Only (expensive) closed commercial solutions • We believe it is important that key internet infrastructure components should have free open source implementations (think: Sendmail, BIND, Unbound, NSD, Apache, ...) SURFnet. We make innovation work

6. Status of OpenDNSSEC • OpenDNSSEC 1.0 the first version • Packages for distributions available • Is a real “first release”, i.e. your mileage may vary (it works but there’s room for improvement) • Used by .uk and .se to sign their zones • OpenDNSSEC 1.1 has been released • Performance improvements • EPP plugin • Changes to auditing process • OpenDNSSEC 1.2 (±August 2010) • Signer engine in C instead of Python • OpenDNSSEC 2.0 • Lot’s of new features (IXFR, web interface, continuous signing, ...) SURFnet. We make innovation work

7. SoftHSM • OpenDNSSEC uses Hardware Security Modules (HSMs) for key storage • HSMs are expensive • We needed a free alternative • HSMs use the PKCS #11 interface • SoftHSM is a “soft token” that implements PKCS #11 • SoftHSM is now a spin-off of OpenDNSSEC SURFnet. We make innovation work

8. Contributors SURFnet. We make innovation work

9. SURFnet’s contribution • Knowledge • PKCS #11 • HSMs • Documentation • Requirements • User documentation, manual pages • HSM buyer’s guide • Testing • SURFnet has a different perspective than TLDs • HSMbully • Code • SoftHSM v2 design + code SURFnet. We make innovation work

10. What we have learned • It is hard to enter a running project • We have now found our niche • Open source projects are hard to plan • Lot’s of enthusiasm gets you far • There clearly is a need for this kind of project SURFnet. We make innovation work

11. Uptake of OpenDNSSEC • Commercial vendors have adopted OpenDNSSEC • Several ccTLDs already use OpenDNSSEC for their zones (.se, .uk) or are going to use it (.nl) • 75% of ccTLDs in Europe adopting DNSSEC plan to use OpenDNSSEC • SURFnet uses OpenDNSSEC as a basis for integration of DNSSEC in its managed DNS system SURFnet. We make innovation work

12. Future plans • Continue contributing to OpenDNSSEC • SoftHSM v2 to be released this summer (hopefully :-) ) • Work on open source monitoring solution for DNSSEC • Investigate the possibility of developing an open source signer appliance (live CD/USB) based on OpenDNSSEC for our constituency • Involve TERENA community in this work through TF Mobility work item DNSSEC SURFnet. We make innovation work

13. That’s all folks... Questions? ? Thank you for your attention! Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl Presentation released under Creative Commons(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en) SURFnet. We make innovation work