DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

Slides:



Advertisements
Similar presentations
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson
Supporting a Healthy, Stable, Resilient Internet.
CcNSO Finance Working Group: Survey on ICANN Contributions and Services Byron Holland March 11,
IANA Department Activities, RIPE 66, Dublin, Ireland May 2013 Elise Gerich.
IANA Activities Update Naela Sarras | ARIN 35 San Francisco | 14 April 2015.
APTLD Update: January 2006 Lim Choon Sai For APTLD Singapore July 2006.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
JIG (Joint ccNSO-GNSO IDN Group) Update APTLD | New Delhi Feb 23, 2012.
Update for AP* Retreat Save Vocea Manager Regional Relations – Australasia/Pacific Islands Kuala Lumpur, 28 Feb 2010.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
IANA Activities Update, ARIN 31, Bridgetown, BB April 2013 Selina Harrington.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Objectives To promote skills development and information exchange related to Internet domain names amongst members To provide a forum to discuss policy.
AFRINIC Update Madhvi Gokool Registration Service Manager RIPE66 meeting, Dublin May 2013.
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
1 Internationalized Domain Names Paul Twomey 7 April 2008.
DNSSec.TLD is signed! What next? V.Dolmatov November 2011.
ICANN capacity building in regions GE/GSE teams| GAC Capacity Building Session| 27 June 2016.
Increasing the Zone Signing Key Size for the Root Zone
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
1 DNS Operations SIG Report Joe Abley, ISC APNIC 18 Nadi, Fiji, September 2004.
1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
A longitudinal, End-to-End View of the DNSSEC Ecosystem
SaudiNIC Riyadh, Saudi Arabia May 2017
ICANN Africa Strategy FY16 – FY20
DNS Security Advanced Network Security Peter Reiher August, 2014
Agenda DNSSEC automation overview How to implement it in FRED
DNS Team IETF 99 Hackathon.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
State of DNSSEC deployment ISOC Advisory Council
ICAO ACP WG-I – Nov 2009 Industry Activity Update
Root Zone KSK Rollover: delay and next steps
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Cybersecurity and Governance
DNSSEC Operations in .gov
Root Zone KSK Rollover Update
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DANE: The Future of Transport Layer Security (TLS)
IDN Variant TLDs Program Update
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
DNSSEC: An Update on Global Activities
.edu DNSSEC Testbed Lessons Learned
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
What DNSSEC Provides Cryptographic signatures in the DNS
Measuring KSK Roll Readiness
Christopher Wilkinson Head, GAC Secretariat
RIPE NCC Regional Meeting Almaty
ICANN/IANA Update at APNIC 29
Geoff Huston APNIC Labs
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Save Vocea Regional Relations Manager August 2009
DNSSEC Tutorial: Status “Today”
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
The Curious Case of the Crippling DS record
Presentation transcript:

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75 21 February 2019

What is DNSSEC? DNSSEC = “DNS Security Extensions” DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS) DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names Result of over a decade of community based, open standards development Implemented in the root zone in 2010

State of DNSSEC Deployment at MEDNSF 2019 Over 90% of top-level domains are signed with DNSSEC 1532 TLDs in the root, 1398 are signed (reduction of 11 since MEDNSF 2018) 1386 TLDs have trust anchors published About 50% of ccTLDs are signed Recent adoption in Mauritania’s IDN ccTLD on 30 Jan 2019 & .DZ on 5 Feb 2019

State of DNSSEC Deployment as of 20 Feb 2019

State of DNSSEC Deployment (source: ISOC Deploy360)

State of DNSSEC Deployment (source: ISOC Deploy360)

KSK Rollover

KSK Rollover Project Goal: Replace the key (KSK) used to sign the DNS root zone's DNSSEC key set since 2010 without disruption Passed many milestones, a few more to go Next up: removing the revocation record for the out-going KSK on 22 March 2019

Plans Made; Key Created Where It Is 2015 2016 2017 2018 2019 Design Team Plans Made; Key Created Publicize; The "Pause" Publicize; Change Key Revoke; Clean Up A key rollover can be done more quickly, but "going fast" has never been the goal

Audience Actions Have you done nothing so far and have seen no problems? Continue what you are doing! Have you been relying on Automated Updates (RFC 5011)? Are you manually managing the configuration of DNSSEC trust anchors? Remove the old key (2010) from trust anchors.

For More Information 1 2 3 4 Visit https://icann.org/kskroll Join the conversation online Use the hashtag #KeyRoll Sign up to the mailing list https://mm.icann.org/listinfo/ksk-rollover Ask a question to globalsupport@icann.org Subject line: “KSK Rollover” Attend an event Visit https://features.icann.org/calendar to find upcoming KSK rollover presentations in your region 2 3 4

Engage with ICANN – Thank You and Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.