Presentation is loading. Please wait.

Presentation is loading. Please wait.

< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA

Similar presentations

Presentation on theme: "< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA"— Presentation transcript:

1 KISA Young-sun La
< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA Young-sun La

2 Contents Introduction .kr DNSSEC Overview Status Plan
Registration Open Preparations Plug-in Pilot Seminar Considerations

3 Introduction KISA roles Registry for .kr & .한국(IDN ccTLD)
Thirty kr subdomain zone(ex, “” etc.) Cooperation with Thirty four Registrars(domain registration & administration, Using EPP) Operating Master kr DNS Fifteen slave DNS deployment & operation 9 Sites in korea, 6 sites abroad 12 sites controled by KISA, 3 sites controled by ISPs Hosting Root DNS(F) Mirror Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) KR domains : 1,094,609(2011 July) DNS Query : 1,229,393,305/day(2011 July Ave.)

4 .kr Registrant (DNS Operator)
DNSSEC Overview .kr Registry User Recursive DNS .kr Registrant (DNS Operator) 34 Co. 2011, June : (signed) 2011, Sep. : .kr 2011, Oct. : 12 Zones 2011, Nov. : 16 Zones 2012, Mar. : the latter half 2012 DNSSEC Registrations Open the latter half 2011 DNSSEC cache servers run The latter half of 2011 DNSSEC Validation Plug-in(Pilot) KISA .kr Registrar ISP, Co., Gov.,

5 DNSSEC Status June 1st : signed NSEC3 (DS RR aren’t exist yet)
ZSK Automated Rollover(BIND support) BIND version : above 9.6.0 Architecture Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) Simply, Unification DNSSEC Master & kr DNS Master is possible. We seperated them for esay recovery in case of DNSSEC service failure. * Architecture could be implemented as various forms according to the local environment & situation.

6 DNSSEC Status(Cont.) Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) All Zone Transfer : Once a day Working Hours : 130minutes, most for zone transfer(90minutes) Considering zone signing increase, improvement in zone transfer architecture should be considered Transfer to slave in brazil took the longest time. Dynamic update modification need : we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. We are seeking solutions to guarantee trust in D.U.

7 DNSSEC Plan 2011, Sep. : .kr 2011, Oct. : 12 zones(, etc.)
2011, Nov. : 16 zones(, etc.) 2012, Mar. :* biggest zone) *Except Registrants’(Domain Owners) dnssec adoption Registration system(possible after DB, EPP revision)

8 DNSSEC Plan(Cont.) HSM adoption(testing both server type and PCIe type) Duplication master kr DNS(should be done with Domain DB duplications * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)

9 Registration Open Preparations
DS RR Verification Toolkit Check DS RR validity using user input data(DNSKEY RR, DS RR) Show the result “ok” JSP Java DNS API(DS Validation class, DS Record class, …) Check Input error Error exceptions

10 Registration Open Preparations
DS RR Verification Toolkit

11 Registration Open Preparations
EPP Modification DS RR infomation added DNSSEC related EPP Commands <secDNS:create>, <secDNS:add>, <secDNS:rem>, <secDNS:chg> New version RTK distribution

12 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot)
DNSSEC Validation API Development dnsval-1.10 (for Linux & windows) Chrome , Firefox : Npruntime IE : ActiveX

13 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot)
Various Images help user understand the validation result much easier, straigter

14 DNSSEC Seminar For User understanding & publicity
Planing three times this year 1th Seminar 2011/7/14, 13:00~18:00 Paticipants : 30(go, ac, re, ne, isp) Before/after Survey done(33people) 2th : Sep. 3th : Nov.

15 Considerations BIND new version comes so often (strength) (weakness)
With new function added BIND has most function we need Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. (weakness) BIND security vulnerability comes often Recent one year, 10times reported (CVE , 1907, 1910,2464,2465, CVE , 3762, 3614, 3615, 3613) Difficult in having full knowledge in administration & operation

16 Considerations Commercial Solution deployment
Problem of selection between economy and convenience

17 Thank you

Download ppt "< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA"

Similar presentations

Ads by Google