Presentation is loading. Please wait.

Presentation is loading. Please wait.

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Published byRalph Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC."— Presentation transcript:

1 APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC

2 Overview DNSSEC benefits What we have done What needs to be done? What does APNIC need to do? Let’s set some DNSSEC goals!

3 DNSSEC benefits Trustable DNS lookup –Forward and reverse Signed delegations –Positive and negative confirmations Some additional protections against phishing and related attacks on the DNS

4 What has been done Extensive testing of DNSSEC –For resolving parties –For domain managers Systems provisioning on some APNIC name servers Initial design discussions –Systems capacity planning –DNS management system

5 What needs to be done? Motivations: time to take a position! Address resolver-side issues Address server-side issues Deployment planning

6 Motivations DNSSEC standards now 10+ years in the making – No clear driver from APNIC community APNIC to research requirements and promote DNSSEC –Implement support in deployed servers –Update APNIC RMS to handle DNSSEC delegations –Join RIPE NCC in deploying DNSSEC in reverse-DNS

7 Resolver-side issues No date for signed root –Would have to distribute out of band, as RIPE NCC do 512 byte packet filtering considerations –Resolver, firewall upgrades –This is not only a problem for DNS APNIC services must work regardless of DNSSEC –Wish to avoid 'fate sharing' problems DNSSEC outage affecting APNIC services -(we provision other peoples DNS) Need cleaner functional separation of servers -Much of this already done APNIC no different to any DNS consumer

8 Server-side issues RIPE NCC deployment in in-addr.arpa –Revealed problems with APNIC secondary Lack of CPU, memory Software configuration issues Now resolved with new hardware and software Some increases in network traffic Key management problem –Managed rollovers, distribution No insurmountable problems –APNIC ready to deploy DNSSEC enabled servers in 2007 (in planning)

9 APNIC resource management changes APNIC needs a way to get “DS” info –The APNIC zone production process has to create a signed state over the collected DS of all sub-zones it delegates to –...and generate the NSEC records to cover the ‘gaps’ in signing Design work needed for APNIC resource management system –Should aim to include DS support in 2008

10 Issues: shared zones Mechanisms for managing DNSSEC in shared zones –APNIC sub-zone shares with NIR Solved in APNIC RMS work –Inter-RIR shared zones (ERX) Requires inter-RIR changes -NRO engineering coordination group would need to coordinate

11 What does APNIC need to do? Upgrade deployed name servers –Done. Will be ready in 2007 Upgrade RMS –DS support –Zone signing in DNS zone production engine Requires spec work, can be ready 2008 Progress shared zone issues –Discuss with key stakeholders (NIR/RIR) May not be fully resolved in 2008

12 Lets set some DNSSEC goals! APNIC DNSSEC 'ready' in 2008 Full support in RMS, zone production OOB TA distribution until root signed APNIC DNSSEC promoting 2007/8 Ongoing experiments, measurements and testing Training/documentation S/W & systems development Active promotion of DNSSEC - support/assist signed root planning Full DNNSEC in reverse-DNS in 2008 –Inter RIR, inter NIR. Requires coordination

13 Goals for 2007 Systems deployment (already planned) Server upgrades, software upgrades in progress NRO & NIR coordination –Focus on shared zone improvements –Plan for DS support in 2008 Present detailed plan at APNIC 24 –For deployment in 2008

14 Discussion

Download ppt "APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC."

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.
Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March 7 2002.

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
Early Registration Transfer (ERX) Update George Michaelson DNS SIG APNIC17/APRICOT 2004 Feb 23-27 2004 KL, Malaysia.

Early Registration Transfer (ERX) Update George Michaelson DNS SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Akamai DNS Offerings RSA © Conference 2013. ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
IANA Update APNIC 31, Hong Kong February 2011. Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.

IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
The new APNIC DNS generation system. Previous System Direct access to backend whois.db files – Constructed radix tree in memory from domain objects –

The new APNIC DNS generation system. Previous System Direct access to backend whois.db files – Constructed radix tree in memory from domain objects –
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Services Area Report Sanjaya Services Area Director.

Services Area Report Sanjaya Services Area Director.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
APNIC Update 1. 2 3 IPv4 Exhaustion Reached “Final /8” on 15 April 2011 103.0.0.0/8 New allocation policy activated Up to /22 per member From 15 April.

APNIC Update IPv4 Exhaustion Reached “Final /8” on 15 April /8 New allocation policy activated Up to /22 per member From 15 April.
Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Similar presentations

Ads by Google