.uk DNSSEC Status update

Slides:



Advertisements
Similar presentations
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Advertisements

< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Identity Management and DNS Services Tianyi XING.
Identity Management and DNS Services Tianyi XING.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009.
What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNSSec.TLD is signed! What next? V.Dolmatov November 2011.
Rolling the Root Geoff Huston APNIC Labs March 2016.
Increasing the Zone Signing Key Size for the Root Zone
A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
Lesson 19: Configuring and Managing Updates
A longitudinal, End-to-End View of the DNSSEC Ecosystem
SaudiNIC Riyadh, Saudi Arabia May 2017
Registry Infrastructure Transformation
Agenda DNSSEC automation overview How to implement it in FRED
Lecture 20 DNS Sec Slides adapted from Olag Kampman
In collaboration with HKCERT and HKIRC July 2016
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
State of DNSSEC deployment ISOC Advisory Council
Root Zone KSK Rollover: delay and next steps
HUAWEI eSight Secure Center Feature Introduction
DNSSEC Operations in .gov
Geoff Huston APNIC Labs September 2017
Root Zone KSK Rollover Update
DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS security.
R. Kevin Oberman ESnet February 5, 2009
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
Managing Name Resolution
.edu DNSSEC Testbed Lessons Learned
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
What DNSSEC Provides Cryptographic signatures in the DNS
Casey Deccio Sandia National Laboratories
Geoff Huston APNIC Labs
DNS operator transfers with DNSSEC
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
DNSSEC Status Update in UA
The Curious Case of the Crippling DS record
Features Overview.
Trust Anchor Signals from Custom Applications
ECDSA P-256 support in DNSSEC-validating Resolvers
Presentation transcript:

.uk DNSSEC Status update 02/05/2011 Brett Carr

Introduction .uk DNSSEC September 2010 Issues SLD DNSSEC DNSSEC Signing Service.

.uk DNSSEC .uk Signed March 2010 Uses: Opendnssec Centos Oracle HSM’s Three sets of identical hardware/software NSEC3 not needed but deployed. ZSK rolled every 6 months automatically KSK rolled every 3 years Low TTL on DNSKEYS to ensure rapid recovery from *issues*

What did we change/learn September 2010 Issue HSM Hardware failure caused OS crash HSM Locked on reboot System designed with no urgency to fix so wait Failover to backup system Opendnssec key db/config file inconsistency 2 Day TTL on DNSKEY caused slow recovery What did we change/learn Don’t lock HSM’s on reboot add’s extra security but more complexity. Improved checking procedures for failover Reduce TTL on dnskey to 1 hour so recovery is quicker

SLD DNSSEC Signing of: me.uk co.uk ltd.uk plc.uk org.uk net.uk sch.uk Zones are very large and dynamically updated every minute. BIND 9.7.3 Continuous signing: Create the keys then add this to your configuration: auto-dnssec maintain; sig-validity-interval 35 28; Single Key (no KSK and ZSK) as we are the parent No scheduled rollover DS’s accepted from capable registrars 18 May

DNSSEC Signing Service Encourage deployment of DNSSEC further. Registrar gives us unsigned zone (via notify and axfr) Nominet signing systems create a signed zone. Notify sent to customer DNS system for AXFR. For *.uk zones Nominet signing system inserts DS record into parent.

Questions/Comments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.