5DNSSEC Status June 1st : go.kr signed NSEC3 (DS RR aren’t exist yet) ZSK Automated Rollover(BIND support)BIND version : above 9.6.0ArchitectureDomain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites)Simply, Unification DNSSEC Master & kr DNS Master is possible.We seperated them for esay recovery in case of DNSSEC service failure.* Architecture could be implemented as various forms according to the local environment & situation.
6DNSSEC Status(Cont.)Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC)All Zone Transfer : Once a dayWorking Hours : 130minutes, most for zone transfer(90minutes)Considering zone signing increase, improvement in zone transfer architecture should be consideredTransfer to slave in brazil took the longest time.Dynamic update modification need : we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time.We are seeking solutions to guarantee trust in D.U.
8DNSSEC Plan(Cont.)HSM adoption(testing both server type and PCIe type)Duplication master kr DNS(should be done with Domain DB duplications* experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month)We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)
9Registration Open Preparations DS RR Verification ToolkitCheck DS RR validity using user input data(DNSKEY RR, DS RR)Show the result “ok”JSPJava DNS API(DS Validation class, DS Record class, …)Check Input errorError exceptions
10Registration Open Preparations DS RR Verification Toolkit
11Registration Open Preparations EPP ModificationDS RR infomation addedDNSSEC related EPP Commands<secDNS:create>, <secDNS:add>,<secDNS:rem>, <secDNS:chg>New version RTK distribution
12DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) DNSSEC Validation API Developmentdnsval-1.10 (for Linux & windows)Chrome , Firefox : NpruntimeIE : ActiveX
13DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) Various Images help user understand the validation result much easier, straigter
14DNSSEC Seminar For User understanding & publicity Planing three times this year1th Seminar2011/7/14, 13:00~18:00Paticipants : 30(go, ac, re, ne, isp)Before/after Survey done(33people)2th : Sep.3th : Nov.
15Considerations BIND new version comes so often (strength) (weakness) With new function addedBIND has most function we needWithout ZKT, OpenDNSSEC, DNSSEC-TOOLS etc.(weakness)BIND security vulnerability comes oftenRecent one year, 10times reported (CVE , 1907, 1910,2464,2465, CVE , 3762, 3614, 3615, 3613)Difficult in having full knowledge in administration & operation
16Considerations Commercial Solution deployment Problem of selection between economy and convenience