Feb 8 – 9, 2024 Workshop
Embassy Suites Charlotte Uptown
US/Eastern timezone

DNSSEC signer upgrade at PCH.net

Feb 8, 2024, 12:20 PM
25m
Salon A/B (Embassy Suites Charlotte Uptown)

Salon A/B

Embassy Suites Charlotte Uptown

401 East Martin Luther King Jr Blvd Charlotte NC 28202 United States
In-Person Standard Presentation OARC 42 Day 1

Speaker

Tamas Csillag (PCH.net)

Description

In my talk I plan to summarize the properties of
PCH's DNSSEC bump in the wire signer from 2010.
(which was based on bind9 and custom code in c/bash/perl)

What were our goals and motivations for the upgrade.

Why we ended up choosing knot as a replacement signer.

Our process include a keysigning ceremony where ZSKs are generated and RRSIGs for those keys years in advance.

I will talk about how we use the keysigning output with knot's offline-ksk functionality and how we utilize HSMs.

Another part to be presented is nsd and how we use its relatively recent functionality the verifier hook to check the correctness of the DNSSEC signed zones.

Talk duration

Primary author

Tamas Csillag (PCH.net)

Presentation materials