Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Update in.KR KISA Young-sun La 1.

Similar presentations


Presentation on theme: "DNSSEC Update in.KR KISA Young-sun La 1."— Presentation transcript:

1 DNSSEC Update in.KR KISA Young-sun La rays@kisa.or.kr 1

2 Contents Introduction.kr DNSSEC Overview Status Plan Registration Open Preparations Plug-in Pilot Seminar Considerations 2

3 Introduction KISA roles ◦ Registry for.kr &. 한국 (IDN ccTLD) ◦ Thirty kr subdomain zone(ex, “co.kr” etc.) ◦ Cooperation with Thirty four Registrars(domain registration & administration, Using EPP) ◦ Operating Master kr DNS ◦ Fifteen slave DNS deployment & operation  9 Sites in korea, 6 sites abroad  12 sites controled by KISA, 3 sites controled by ISPs ◦ Hosting Root DNS(F) Mirror ◦ Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) ◦ KR domains : 1,094,609(2011 July) ◦ DNS Query : 1,229,393,305/day(2011 July Ave.) 3

4 DNSSEC Overview 4.kr Registry User Recursive DNS.kr Registrant (DNS Operator) 34 Co. 2011, June : go.kr (signed) 2011, Sep. :.kr 2011, Oct. : 12 Zones 2011, Nov. : 16 Zones 2012, Mar. : co.kr the latter half 2012 DNSSEC Registrations Open the latter half 2011 DNSSEC cache servers run The latter half of 2011 DNSSEC Validation Plug-in(Pilot) KISA.kr Registrar ISP, Co., Gov., KISA

5 DNSSEC Status June 1 st : go.kr signed NSEC3 (DS RR aren’t exist yet) ZSK Automated Rollover(BIND support) BIND version : above 9.6.0 Architecture ◦ Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) ◦ Simply, Unification DNSSEC Master & kr DNS Master is possible. ◦ We seperated them for esay recovery in case of DNSSEC service failure. ◦ * Architecture could be implemented as various forms according to the local environment & situation. 5

6 DNSSEC Status(Cont.) Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) All Zone Transfer : Once a day Working Hours : 130minutes, most for zone transfer(90minutes) Considering zone signing increase, improvement in zone transfer architecture should be considered Transfer to slave in brazil took the longest time. Dynamic update modification need : we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. We are seeking solutions to guarantee trust in D.U. 6

7 DNSSEC Plan 2011, Sep. :.kr 2011, Oct. : 12 zones(or.kr, ac.kr etc.) 2011, Nov. : 16 zones(seoul.kr, jeju.kr etc.) 2012, Mar. : co.kr(* biggest zone) *Except Registrants’(Domain Owners) dnssec adoption Registration system(possible after DB, EPP revision) 7

8 DNSSEC Plan(Cont.) HSM adoption(testing both server type and PCIe type) Duplication master kr DNS(should be done with Domain DB duplications * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done) 8

9 Registration Open Preparations DS RR Verification Toolkit ◦ Check DS RR validity using user input data(DNSKEY RR, DS RR) ◦ Show the result “ok” ◦ JSP ◦ Java DNS API(DS Validation class, DS Record class, …) ◦ Check Input error ◦ Error exceptions 9

10 Registration Open Preparations DS RR Verification Toolkit 10

11 Registration Open Preparations EPP Modification ◦ DS RR infomation added ◦ DNSSEC related EPP Commands ,, , ◦ New version RTK distribution 11

12 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) ◦ DNSSEC Validation API Development ◦ dnsval-1.10 (for Linux & windows) ◦ Chrome, Firefox : Npruntime ◦ IE : ActiveX 12

13 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) ◦ Various Images help user understand the validation result much easier, straigter 13

14 DNSSEC Seminar For User understanding & publicity Planing three times this year 1th Seminar ◦ 2011/7/14, 13:00~18:00 ◦ Paticipants : 30(go, ac, re, ne, isp) ◦ Before/after Survey done(33people) 2th : Sep. 3th : Nov. 14

15 Considerations BIND new version comes so often (strength) ◦ With new function added ◦ BIND has most function we need ◦ Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. (weakness) ◦ BIND security vulnerability comes often  Recent one year, 10times reported (CVE-2011-0414, 1907, 1910,2464,2465, CVE-2010- 0218, 3762, 3614, 3615, 3613)  Difficult in having full knowledge in administration & operation 15

16 Considerations Commercial Solution deployment Problem of selection between economy and convenience 16

17 Thank you 17


Download ppt "DNSSEC Update in.KR KISA Young-sun La 1."

Similar presentations


Ads by Google