ION Sri Lanka - DNSSEC at LK Domain Registry
•Download as PPTX, PDF•
0 likes•1,100 views
Deploying DNSSEC: A .LK Case Study Sashika Suren (LK Domain Registry) This session will explore LK Domain Registry’s technical solution for deploying DNSSEC support in the .LK registry. With a goal of making it easier for domain name holders to easily add DNSSEC, we will take a quick look at our DNSSEC implementation strategy, the status/progress of .LK signed domains, and our lessons learned and challenges for increasing the percentage of signed domain names.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to ION Sri Lanka - DNSSEC at LK Domain Registry
Similar to ION Sri Lanka - DNSSEC at LK Domain Registry (20)
More from Deploy360 Programme (Internet Society)
More from Deploy360 Programme (Internet Society) (20)
Recently uploaded
Recently uploaded (20)
ION Sri Lanka - DNSSEC at LK Domain Registry
- 2. History • Testing started in late 2009 - With a testbed and bind • Generated the KSKs and ZSK at Key Generation Ceremony in June 2010 - Used NSEC • All 3 ccTLDs were officially signed in 15th July 2010 • DS records were submitted to ICANN
- 3. Our Practice • We keep KSK in a secure isolated zone signer - Security purposes • ZSK is in the hidden primary DNS server • ZSK roll over every 6 months • Generate RRSIGs of DNSKEY recodes using KSK and ZSK - RRSIGs are imported to zone file - ZSK is used to generate RRSIGs of other DNS recode types
- 4. Our Practice… • Our back-end database has zone details - NS, A, MX, TXT etc • Script is used to generate the zone file whenever new update propagates - 2 to 3 times a day • Generated zone file (new) is forwarded to zone signing process - All recodes will be signed
- 5. Our Experience • We have 18k domains in .lk - Around 50% of the clients do NOT have NS records - Only resource rocodes (i.e. A, TXT, MX, SPF) • Around 1,50,000+ SIGNED records in the .lk Zone file - Takes ~240 Seconds to Sign the entire .lk zone
- 6. Our Experience... • All records are signed ( Feed is a new file without RRSIGs of zone data) - Time consuming - Bandwidth consuming (IXFR – Less effective) • What we expect? - To use features of IXFR • Less Bandwidth - Automated Signing which supports • Less delay • Less overhead
- 7. Our Solution (Proposed) • We are planning to implement DNSSEC with NSUPDATE and Fully Automatic Smart Signing. - Allows automated DNS record updates to zone. - Automates the zone signing process. • Increase the incremental zone transfer [IXFR] performance. • Supports key rollover with less human interaction.
- 8. Dynamic DNS Update Utility Tool [nsupdate] • Allows resource records to be added or removed from a zone without manually editing the zone file. • Use Key for secure communication.
- 9. Fully Automatic Smart Signing • Dynamic DNS must be enabled. • Use Zone Signing Keys [ZSK]s and Key Signing Key[KSK]. • Automatically generates the digital Signatures of DNS resource records. - Newly added DNS Records - Modified DNS records - Expired Signatures • Higher IXFR performance.
- 10. Zone Signing Key Rollover • Support for ZSK rollover with isolated KSK • Support for Scheduled multiple ZSK rollover - Pre-published multiple ZSKs which activate after specified time. - less human interaction. ZSK ZSK ZSK - Published Now - Activate Now - Published Now - Activate in 6 months - Published Now - Activate in 12 months Time
- 11. Concerns • Security - Isolated Key Signing Key [KSK] • Correctness - Less human errors • Recovery Process - nsupdate use journal file before write data to the zone file. - Journal file can be use to re-generate zone file in case of zone file corruption.