Contents
--------

Day 1 (Monday, October 23)
--------------------------

Morning:

  * Intro
  * DNSSEC Overview:
    1. What problems are we trying to solve in the DNS
      - DNS threats (poisoning, hijacking)
      - Hijack for a selected set of users
      - Kaminsky attack
      - Illustrate points of vulnerability, responsibility

    2. DNSSEC principles, terminology
      - crypto refreshers, ZSK, KSK, SEP, rollover, chain of trust

    3. DNSSEC: part of a multi-layered defense (SSL, ...)
      - Actors in a DNSSEC world (registries, registrars, users,
        administrators, ...)
      - State of DNSSEC deployment, future directions

Afternoon:

  * Introduction to the lab, network setup and private root
  * Software overview (BIND, Unbound, NSD, OpenDNSSEC)
  * Lab 1: DNS refreshers: RRSets, using dig, using tcpdump/wireshark
  * Lab 2: Setup delegation, configure master & slave
  * Lab 3: Logging, log management, and zone transfer security using TSIG

Day 2 (Tuesday, Oct 24)
-----------------------

Morning:

  * DNSSEC signing: What does it take to sign a zone ?
    - Walkthrough demo, followed by hands-on

  * Lab 1: Zone signing and semi-automated management using BIND 9.7+
    - Getting a zone signed, key generation, signing and re-signing
    - Child delegation and DS records
    - NSEC3, opt-out
    - Setup NSD as secondary, setup Unbound as validator
    - RFC5011, 4641

  * DNSSEC signing considerations
    - Choices: Key size, HSM or not, signing model, validation
    - Key management, key rollover, and signature validity

  * Lab 2: Using OpenDNSSEC: automated key management, signing

Afternoon:

  * Lab 3: Using OpenDNSSEC: automated rollover
    - KSK and ZSK rollovers & methods (pre-generate, double-sign, pre-publish)
    - What happens when data is altered ?
      Corrupting/tampering with data manually to illustrate what
      DNSSEC protects against

Day 3 (Wednesday, Oct 25)
-------------------------

Morning:

  * Operational aspects
    - DS management, R<->R interaction, (RFC 5910)
    - Redelegation of signed zones

  * Impact of DNSSEC on policy
    - DNSSEC is a statement of authenticity
    - The DNSSEC Practice Statement (DPS)

  * DNSSEC issues - what does DNSSEC NOT solve
    - Authentication, not encryption
    - DNSSEC *can* make your operations more fragile
    - Other points of attack
      - Compromised registry, SQL injections: garbage in, garbage out
      - The importance of proper operations
    - Protecting the "last mile" (stub resolvers)

Afternoon:

  * Q&A roundtable
 
  * New applications possible thanks to DNSSEC
    - Extended certificate validation in SSL
    - Publish signed information in the DNS
    - DANE

  * Deployment: setting up a testbed
    - "Bump in the wire" deployment
    - Signing & key management
    - Milestones
    - Remember the DPS!