100 likes | 110 Views
This update provides information on the progress and challenges of implementing DNSSEC and IPv6 within the LBLnet Services Group. Topics covered include DNSSEC key management, test zone deployment, and the ongoing work on IPv6 implementation.
E N D
LBNL Site Update Mike Bennett LBLnet Services Group ESCC 4 February, 2010
Overview • DNSSEC work • IPv6 work
DNSSEC work • Started out by setting up lookaside validation on our nameservers using the ISC server • This has caused a number of disruptions in service. • E.g. site signs its zone but makes one or more mistakes, zone works ok when not being validated but is broken when the DNSSEC records are checked. • We have a signed test zone: lbl.dnsops.gov. • Key management is one big issue since mistakes in this area can black hole your zone
DNSSEC work • We're using Casey Deccio's zonetool, which is publicly available: http://zonetool.sourceforge.net/ • One problem recently solved: our NS records had explicit TTLs of one week • took a week to execute a zone key roll. • Using default of 12 hours now • lbl.gov will likely be signed in the next 4-6 weeks. • We’re looking into an appliance to manage keys in the long term • Thanks to Craig Leres for providing most of the content for this update
IPv6 work • We set up IPv6 testbeds in 1999 and 2002 – tore them down because there was no demand to roll out the protocol • Started a “spare cycles” project roughly a year ago to build another one • Why do it again? (aka don’t we have enough to work on already??) • Two key differences: • Network researchers want to learn more about BRO for v6 • It’s clear we will have to do this in the relatively near future • Better to spend the time now than to do it in a crunch • Network World Daily News AM Alert (2/2/2010) • YouTube support of IPv6 seen in dramatic traffic spikeGoogle has quietly turned on IPv6 support for its YouTube video streaming Web site, sending a spike of IPv6 traffic across the Internet that has continued from last Thursday until Monday.
IPv6 work • Objectives: • Basic security analysis (fw rules, etc) • Get acld working for IPv6 • Peer with ESnet over IPv6 • Provide IPv6 connectivity to a subnet on LBLnet • Have BRO monitor this connection with ability to block using acld • Get basic DNS working • Gradually turn up services on the IPv6 subnet
IPv6 work • Work breakdown (approximate FTE hrs): • Planning and communication: 20 • Security analysis: 8 • Get acld working for IPv6: 32 • Peer with ESnet over IPv6: 8 • Provide IPv6 connectivity to a subnet on LBLnet: 8 • Have BRO monitor this connection with ability to block using acld: 2 • Get basic DNS working: 12 • Gradually turn up services on the IPv6 subnet: TBD
IPv6 work • Some of the technical issues encountered so far: • IPv6 support on E1200 required change in CAM profile • IOS upgrade required for full IPv6 support in LBLnet core routers • Neighbor Discovery RA suppression not working in our current version of IOS
IPv6 work • Still have lots to do, but • What we have now enables learning in “spare cycles” • minimum impact • Gradual (prudent) approach seems like the way to go • Better to do it now in “spare cycles” than in a time crunch
Questions? mjbennett@lbl.gov THANKS!