Upload File

dnssec in ua domain (enog2)

11
DNSSEC in the .UA Domain Dmitry Kohmanyuk ENOG2 2011

Upload: dmitry-kohmanyuk

Post on 16-Jul-2015

74 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: DNSSEC in UA Domain (ENOG2)

DNSSEC in the .UA Domain

Dmitry Kohmanyuk

ENOG2

2011

Page 2: DNSSEC in UA Domain (ENOG2)

Some facts

• UA total domains: 616523

• UA zone itself: 12672

• UA public subdomains: 76

Page 3: DNSSEC in UA Domain (ENOG2)

The Plan

Testing in subdomain

Pre-production

Production

Post-Production

Page 4: DNSSEC in UA Domain (ENOG2)

Testing in UA.UA

• Special domain - some strange resolver traffic

• Key generated at IPv6 Workshop #4 - November 8th, 2011

• Public key published http://hostmaster.ua/dnssec

• Zone signed using bind 9.7 toolset (DNSSEC for Humans)

http://hostmaster.ua/dnssec
Page 5: DNSSEC in UA Domain (ENOG2)

Testing signing UA, on private copy

Page 6: DNSSEC in UA Domain (ENOG2)

Pre-production

• Migration of all infrastructure to bind 9.8 (or later when stable)

• Separate signing and publication servers

• DUAZ - probably just single signed zone instance

• Possible use of DLV with pre-production keys

Page 7: DNSSEC in UA Domain (ENOG2)

Algorithm selection

RSAMD5 DSA

RSASHA1 DSA-NSEC3-SHA1

RSASHA1-NSEC3-SHA1 DH

RSASHA256 ECC

RSASHA512 ECC-GOST

Page 8: DNSSEC in UA Domain (ENOG2)

Potential issues

• GOST - no final opinion on validator support

• Algorithm support in IANA RZM system

• Storing key material - hard to split with bind

• Hardware certification - easier to do in software (and cheaper)

Page 9: DNSSEC in UA Domain (ENOG2)

Production

• Key generation - scheduled for December 2nd 2011

• Key parameters - RSASHA512, 2048/1024 bits

• Deployment of key data in pre-production system replica

• Publishing records with IANA and our own web resources

Page 10: DNSSEC in UA Domain (ENOG2)

Post-production

• Key rotation schedule - 3 years for KSK, 3 months for ZSK

• Reconsider algorithms: use Ukrainian own elliptical curve encryption - needs RFC

Page 11: DNSSEC in UA Domain (ENOG2)

Questions?

www.hostmaster.ua Whois.ua [email protected]

http://www.hostmaster.ua/
mailto:[email protected]

DNS and DNSSEC tutorial - huque.com · [DNS and DNSSEC, USENIX LISA 12] DNS Tutorial 7 [DNS and DNSSEC, USENIX LISA 12] DNS •Domain Name System •Base specs in RFC 1034 & 1035

Understanding the Role of Registrars in DNSSEC Deploymentdml/papers/dnssec_imc17.pdf1 INTRODUCTION The Domain Name System (DNS) [33] provides name resolution for ... DNS and DNSSEC

DNS/DNSSEC and Domain Transfers: Are they compable · DNSSEC affects transfers of signed domains, – In parcular when Registrar operates the DNS service for the Domain holder. •

Universal Acceptance (UA) of Domain Names and Email Addresses · ¤ Domain Names ¡ Newertop-level domain names: example.sky ¡ Longertop-level domain names: example.global ¡ Internationalized

DNSSEC: How far have we come? - Virus Bulletin · DNSSEC: How far have we come? Nick Sullivan ... The Domain Name System ... • Microsoft DNS Client on Windows • Unbound on Linux

DNSSEC & KSK Rollover - mednsf.org · | 2 What is DNSSEC? ¤ DNSSEC = “DNS Security Extensions” ¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name

A Security Evaluation of DNSSEC with NSEC3 · Domain Name System Security Extensions (DNSSEC) and Hashed Authenticated Denial of Existence (NSEC3) are slated for adoption by important

Deploying DNSSEC v1.2-2 - SURF · How to configure Unbound DNSSEC validation ... The Domain Name System ... Deploying DNSSEC 9/30 3 DNS architecture

Domain Name System Security Extensions (DNSSEC ... · Hong Kong Internet Registration Corporation Ltd Domain Name System Security Extensions (DNSSEC) Implementation Project Request

DNSSEC Practice Statement - Oracle · The Domain Name System Security Extensions (DNSSEC) is a set of IETF specifications for adding origin authentication and data integrity to the

Kemanan DNS dan Domain - files.acci.or.id filePentingnya menjaga keamanan di Internet. DNSec • DNSSec digunakan untuk memverifikasi apakah data domain sesuai ... IPv6 . Name Server

DNS SVR2008R2 DNSSEC - itsecure.hu¡gi útmutatók/Egyéb... · 3 Domain Name System Security Extensions Introduction to DNSSEC What is DNSSEC? The Domain Name System (DNS) is a hierarchical,

The Domain Name System (DNS): Security challenges and ... · DNSSEC Domain Name System Security Extensions. DO DNSSEC OK. DOS Denial Of Service. DS DNSSEC Delegation Signer resource

Corporate Policy DNSSEC Policy: Practice Statement › assets › public-comment › corp › auDA... · 2018-09-06 · 1. INTRODUCTION A Domain Name System Security Extension (DNSSEC)

Dnssec in UA - Talk at UAdom 2011

Active Directory Domain Services 2012 R2 ... · 7 Active Directory Domain Services 2012 R2 - Grundkonfiguration - Teil 1 DNSSEC einrichten (Optional zu Testzwecken) Zu Testzwecken

DNSSEC for the Domain

DNS and DNSSEC - econinfosec.org · DNS and DNSSEC Samuel Weiler ... Domain Name System (DNS) ... – DNS Resolver Software BIND and Unbound (java), both open source

DNSSEC: Securing Your Domain Names

A Security Evaluation of DNSSEC with NSEC3theory.stanford.edu/~jcm/papers/dnssec_ndss10.pdf · Domain Name System Security Extensions (DNSSEC) and Hashed Authenticated Denial of Existence

DNSSEC, the DNS and Internet Security2019/04/15  · DANE + DNSSEC •Query the DNS for the TLSA record of the domain name and ask for the DNSSEC signature to be included in the response

Domain Name Registration and Operational Best Current ... · all domain-related information are frozen, including delegations, DNSSEC material, whois content Procedure : 1. lock activated

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman [email protected]

DNSSEC Practice Statement - AFNIC · DNSSEC provides a way for software to validate that Domain Name System (DNS) data has not been tampered with or modified during Internet transit

DNSSEC Practice Statement .AQUARELLE - AFNIC · DPS .AQUARELLE – 11/06/2013 1 DNSSEC Practice Statement .AQUARELLE Registry domain signature policy and conditions …

Domain Name Basics - DNS, DNSSEC and DANE

Measuring the practical impact of DNSSEC Deploymentwlian/papers/lian_dnssec_usenixsec13.pdf · Measuring the practical impact of DNSSEC Deployment Wilson Lian ... The Domain Name

DNSSEC Practice Statement .CORSICA - afnic.fr · PDF fileDPS .CORSICA – 11/06/2013 1 DNSSEC Practice Statement .CORSICA Registry domain signature policy and conditions of implementation

UMSSIA - DTCDNSSEC •DNSSEC Attempts to address these issues cryptographically. •In the “Ideal DNSSEC Deployment”: –There is a public key for the “root” domain. –This

DNSSEC Securing the Internetdnssec-deployment.icann.org/en/dnssec/dnsseccard.pdfDNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS), the Internet’s

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010

Deploying the BIG-IP GTM for DNSSEC - F5 Networks · DNSSEC is a extension to the Domain Name Service (DNS) that ensures the integrity of data returned by domain name lookups by incorporating

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

AFNIC’s Issue Papers DNSSEC · Domain Name System Security Extensions DNSSEC issues The security of any system depends on both the security of its various components and the interactions

DNSSEC : Domain Name Sytem Security Extensions