CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others Sergey Myasoedov • UADOM • December 1, 2017

CZ.NIC registry system Opensource registration system

.cz registration 1.3M domains

.cz DNSSEC ~52% of domains signed

DNSSEC.CZ - history April 4, 2008 - ENUM (0.2.4.e164.arpa) September 2, 2008 – .CZ signed September 30, 2008 - .CZ open for end-user public key registration (KEYSET records) July 15, 2010 – root zone signed NSEC->NSEC3 0.2.4.e164.arpa – Jun 2010 CZ – August 2010 NSEC3 w/o OPT-OUT (high % of signed) Jun 20, 2017 – Automated Keyset Management

DNSSEC.CZ – Key points Incentives for registrars Direct communication with major stakeholders – registrars, ISPs, and Government, major websites Open source supporting tools - DANE Long term DNSSEC related PR/Campaigns Technical conferences

Incentives for registrars Technical – DNSKEY object shared by multiple domains – bulk operations Marketing – Registrar certification – hard to get 5 stars without DNSSEC support Financial – Co-marketing – 50% expenses covered if campaign related to .cz – DNSSEC penetration means higher caps

Tools Browser DNSSEC TLSA validator – browser add- on - Firefox, Chrome, IE, Safari, Opera Bogus domain checks – ISPs DNSSEC HTML widget Turris project – Secure CPE Check http://labs.nic.cz Open source

Campaigns Good domain – IT Crowd style guy explaining why is important to have a (signed) domain Twins – strange video played by people looking like some celebrities – secure domains Internet how to – 2 minutes educational spots – prime time – major Czech TV, DNSSEC and IPv6

Automated Keyset Management RFC 7344 - Automating DNSSEC Delegation Trust Maintenance RFC 8078 - Managing DS Records from the Parent via CDS/CDNSKEY Daily scanning all domains in zonefile for CDNSKEY records Takes about 3 hours for .CZ Three categories of domains: Without KeySet With automatically generated KeySet With legacy KeySet created by a registrar

Registry implementation cdnskey-scanner - CLI tool invoked by fred-akm - Input: STDIN, Output: STDOUT - Implemented with getdns + libevent - Distribution of queries per nameserver (scan secured/insecured domains with nameservers for CDNSKEY) fred-akm - CLI tool invoked from cron - Implements processing logic - SQLite database backend to store the state (get domains with nameservers, update DNSSEC, notify contacts) FRED specific layer fred-akmd - Server-side daemon - Implements CORBA interface for registry data - Can be replaced with registry specific part

Domains without KeySet Scanning all authoritative nameservers from registry database via TCP queries When CDNSKEY is found, technical contact is informed via e-mail Keep scanning for 7 more days If results are always the same (and it is not DS deletion), new KeySet is created and linked to a domain Domain holder (via notify e-mail) and registrar (via EPP) are notified

Domains with automatic KeySet Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner If CDNSKEY is found, do as requested Update KeySet with new DNSKEY or Remove KeySet (notification of domain holder and registrar) Technical contact is informed via e-mail

Domains with legacy KeySet Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner If CDNSKEY is found, do as requested Create new automatic KeySet and swap it in domain or Remove KeySet Technical contact is informed via e-mail Domain holder (via notify e-mail) and registrar (via EPP) are notified

KSK rollover in Knot DNS Double signature KSK rollover Optional KSK submission via CDS/CDNSKEY Periodic checks for DS existence via set of configured nameservers (all must see DS) All parental authoritative nameservers And/or DNSSEC validating resolver

CZ.NIC – other activities Despite the huge price reduction – still surplus New activities National CERT team – CSIRT.CZ Enlightenment – TV shows, books Academy – training mojeID Conference hosting – ICANN, IETF, RIPE, etc. CZ.NIC Labs, ...

CZ.NIC Labs … development of Open Source SW BIRD Knot DNS Knot Resolver DNSSEC Validator Tablexia Netmetr Local stuff – Datovka, iDatovka, ... Research – security, new technologies

Turris & Turris Omnia And later on – Open Source HW Turris – security research (CZ only) Turris Omnia – publicly available SOHO router – IndieGoGo campaign – $1,25M (!)

THANK YOU! Sergey Myasoedov https://www.nic.cz