Presentation is loading. Please wait.

Presentation is loading. Please wait.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Published byVanessa Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation."— Presentation transcript:

1 Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation

2 .th System Architecture

3 KeyStore Admin Tool Key parameters for the zone  Key Usage, KSK/ZSK  Key Algorithm, RSA-SHA1/RSA-SHA256  Key Length, 2048/1024 bits  Key Reference Location Keys generation Tool  Key gen. for multiple zones  Key gen. for a zone  Rollover Key gen. for multiple zones  Rollover Key gen. for a zones  Rollover Key deletion

4 Private Key Private Key store in the.private file  Tracking by KeyStore Admin Tool Reference Location Timestamp  Non Active Key are store in separate directory Public Key store in the.key file and in the KeyStore for easy access  Accessible by KeyStore Admin Tool Reference Location Key content Timestamp  Non Active Key are store in separate directory

5 Zone Builder Tool Run by Cron job Put DNSKEY and DS records into the zone  Only active keys will be put into the zone. Auto update the serial no. Legacy zone content is included.  The content that is operated by hand.

6 Zone Signer Run by Zone Builder Tool Sign the zone by corresponding keys  Read signing parameter from KeyStore  Sign zone using BIND’s dnssec-signzone  Sign multiple keys for key rollover when needed

7 Zone Transfer Signed zones will be loaded into local Nameserver By using the DNS Zone transfer mechanism with TSIG setup, The zone will be transferred to the Outbound Nameserver before transferring to the Primary Nameserver Then will be distributed to the authoritative servers

8 DS & DNSKEY Tool Client Domain need to send in their keyset (public key)  via. E-Mail and (in the future, web interface) Registration staff then will verify the key and then run the tool to convert the key to DS records The tool will automatic store DS records to the zone Database For the legacy client, to run the tool, the staff need to create a Keyset file and put the result (DS records) to the zone by hand.

9 Sign.th zone Experimental Signer box Setup  Intel Quad Core Xeon X5470 3.33GHz  Ram 2GB  OS FreeBSD 6.4-RELEASE  BIND 9.6.0-P1.th zones  1 tld, “th”  7 sld, “ac.th”, “co.th”, “go.th”, “in.th”, “mi.th”, “net.th”, “or.th” Key Size  KSK algorithm RSA-SHA1 2048 bits  ZSK algorithm RSA-SHA1 1792 bits

10 Sign.th zone Experimental Sign zone with no DS record ZoneRegistered domains Zone size (K) Time taken (s) Unsigned zoneSigned zone th16,2216914,67317.54 ac.th5,4943351,7706.6 co.th34,4121,80710,91741.17 go.th4,7542451,4555.49 in.th9,5024552,76610.49 mi.th405200.08 net.th476200.08 or.th1.313774431.68

11 Things To Do Registry-Registrar-Reseller DNSSEC add-on API.  To enable DNSSEC registration  To handle keyset submission  Provide publickey information to the world ….

12 Krit Witwiyaruj Thai Name Server Co., Ltd Thank You Email: krit@thains.co.th

Download ppt "Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
Aristotle Balogh February 2000 NSI Registry Update NANOG 18, San Jose, California Aristotle Balogh February 6, 2000.

Aristotle Balogh February 2000 NSI Registry Update NANOG 18, San Jose, California Aristotle Balogh February 6, 2000.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

Similar presentations

Ads by Google