Presentation is loading. Please wait.

Presentation is loading. Please wait.

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

Published byCandice Bates Modified over 5 years ago

Similar presentations

Presentation on theme: "CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others"— Presentation transcript:

1 CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
Sergey Myasoedov • UADOM • December 1, 2017

2 CZ.NIC registry system Opensource registration system

3 .cz registration 1.3M domains

4 .cz DNSSEC ~52% of domains signed

5 DNSSEC.CZ - history April 4, 2008 - ENUM (0.2.4.e164.arpa)
September 2, 2008 – .CZ signed September 30, CZ open for end-user public key registration (KEYSET records) July 15, 2010 – root zone signed NSEC->NSEC3 0.2.4.e164.arpa – Jun 2010 CZ – August 2010 NSEC3 w/o OPT-OUT (high % of signed) Jun 20, 2017 – Automated Keyset Management

6 DNSSEC.CZ – Key points Incentives for registrars
Direct communication with major stakeholders – registrars, ISPs, and Government, major websites Open source supporting tools - DANE Long term DNSSEC related PR/Campaigns Technical conferences

7 Incentives for registrars
Technical – DNSKEY object shared by multiple domains – bulk operations Marketing – Registrar certification – hard to get 5 stars without DNSSEC support Financial – Co-marketing – 50% expenses covered if campaign related to .cz – DNSSEC penetration means higher caps

8 Tools Browser DNSSEC TLSA validator – browser add- on - Firefox, Chrome, IE, Safari, Opera Bogus domain checks – ISPs DNSSEC HTML widget Turris project – Secure CPE Check Open source

9 Campaigns Good domain – IT Crowd style guy explaining why is important to have a (signed) domain Twins – strange video played by people looking like some celebrities – secure domains Internet how to – 2 minutes educational spots – prime time – major Czech TV, DNSSEC and IPv6

10 Automated Keyset Management
RFC Automating DNSSEC Delegation Trust Maintenance RFC Managing DS Records from the Parent via CDS/CDNSKEY Daily scanning all domains in zonefile for CDNSKEY records Takes about 3 hours for .CZ Three categories of domains: Without KeySet With automatically generated KeySet With legacy KeySet created by a registrar

11 Registry implementation
cdnskey-scanner - CLI tool invoked by fred-akm - Input: STDIN, Output: STDOUT - Implemented with getdns + libevent - Distribution of queries per nameserver (scan secured/insecured domains with nameservers for CDNSKEY) fred-akm - CLI tool invoked from cron - Implements processing logic - SQLite database backend to store the state (get domains with nameservers, update DNSSEC, notify contacts) FRED specific layer fred-akmd - Server-side daemon - Implements CORBA interface for registry data - Can be replaced with registry specific part

12 Domains without KeySet
Scanning all authoritative nameservers from registry database via TCP queries When CDNSKEY is found, technical contact is informed via Keep scanning for 7 more days If results are always the same (and it is not DS deletion), new KeySet is created and linked to a domain Domain holder (via notify ) and registrar (via EPP) are notified

13 Domains with automatic KeySet
Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner If CDNSKEY is found, do as requested Update KeySet with new DNSKEY or Remove KeySet (notification of domain holder and registrar) Technical contact is informed via

14 Domains with legacy KeySet
Scan for CDNSKEY via local resolver, DNSSEC is validated inside scanner If CDNSKEY is found, do as requested Create new automatic KeySet and swap it in domain or Remove KeySet Technical contact is informed via Domain holder (via notify ) and registrar (via EPP) are notified

15 KSK rollover in Knot DNS
Double signature KSK rollover Optional KSK submission via CDS/CDNSKEY Periodic checks for DS existence via set of configured nameservers (all must see DS) All parental authoritative nameservers And/or DNSSEC validating resolver

16 CZ.NIC – other activities
Despite the huge price reduction – still surplus New activities National CERT team – CSIRT.CZ Enlightenment – TV shows, books Academy – training mojeID Conference hosting – ICANN, IETF, RIPE, etc. CZ.NIC Labs, ...

17 CZ.NIC Labs … development of Open Source SW BIRD Knot DNS
Knot Resolver DNSSEC Validator Tablexia Netmetr Local stuff – Datovka, iDatovka, ... Research – security, new technologies

18 Turris & Turris Omnia And later on – Open Source HW
Turris – security research (CZ only) Turris Omnia – publicly available SOHO router – IndieGoGo campaign – $1,25M (!)

19 THANK YOU! Sergey Myasoedov

Download ppt "CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others"

Similar presentations

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,

Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
1 San Diego, California 25 February 2014. 2 Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
AU, March 2, 20061 DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,

Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,
Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.

Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.
Ch 6: DNSSEC and Beyond Updated 4-28-15. DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
What's so hard about DNSSEC? Paul Ebersman – 23-27 May 2016 RIPE72 – Copenhagen 1.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Similar presentations

Ads by Google