< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Korea Network Information Center APOPS KIOW Korea Internet Operation Workshop - Billy MH Cheon : February, 2003.
…to Ontology Repositories Mathieu dAquin Knowledge Media Institute, The Open University From…
Deploying IPv6: The time is now Are you ready? SFTA 24 May 2012 John Curran President and CEO, ARIN.
Scope and method of pilot survey in China Yang kuan kuan Deputy director-general of office on Leading group of the Second National Economic Census under.
IDN Variant Issues Project (VIP) Project Update and Next Steps 11 April 2012.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.
0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
GridPP July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.
Review iClickers. Ch 1: The Importance of DNS Security.
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
.TN ccTLD Overview ISOC ccTLD Workshop – Jordan Tunisian Internet Agency Makram BENHAMED
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
Contents 2 Engagement Overview Migrating to Hyper-V from VMware Consider if time allows.
IPv6.kr DNS Deployment Plan Feb, 2004 Seung-hoon Lee & Billy Cheon IP Address Management Team Korea Network Information Center.
DB analyzer utility An overview 1. DB Analyzer An application used to track discrepancies and other reports in Sanchay Post Constantly updated by SDC.
Japan Registry Service Copyright © 2004 JPRS.JP Status Report - JP : being focusing on IDN environment - ccTLD Meeting 2 March 2004 Hiro Hotta, JPRS.
Addition 1’s to 20.
Test B, 100 Subtraction Facts
Week 1.
1 Unit 1 Kinematics Chapter 1 Day
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Licensing Because DARWin-ME will not be available for licensing until April 2011, the annual license fees will be prorated for the period April through.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
IIT Indore © Neminath Hubballi
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Kenya Network Information Centre (KENIC). Introduction KENIC is the registry for the.KE ccTLD. Local and non-profit organization Mandate is to Manage.
DNSSEC deployment in NZ Andy Linton
Japan Registry Service Copyright © 2002 Japan Registry Service Co., Ltd. Consideration on DNS Service Level Shinta Sato Japan Registry.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
CNNIC Chinese Domain Name Registration System Zhang Wenhui CNNIC China Internet Network Information Center.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
SaudiNIC Riyadh, Saudi Arabia May 2017
Agenda DNSSEC automation overview How to implement it in FRED
Implementing Active Directory Domain Services
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
Annual maintenance service implementation
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
.edu DNSSEC Testbed Lessons Learned
.uk DNSSEC Status update
Presentation transcript:

KISA Young-sun La rays@kisa.or.kr < APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA Young-sun La rays@kisa.or.kr

Contents Introduction .kr DNSSEC Overview Status Plan Registration Open Preparations Plug-in Pilot Seminar Considerations

Introduction KISA roles Registry for .kr & .한국(IDN ccTLD) Thirty kr subdomain zone(ex, “co.kr” etc.) Cooperation with Thirty four Registrars(domain registration & administration, Using EPP) Operating Master kr DNS Fifteen slave DNS deployment & operation 9 Sites in korea, 6 sites abroad 12 sites controled by KISA, 3 sites controled by ISPs Hosting Root DNS(F) Mirror Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) KR domains : 1,094,609(2011 July) DNS Query : 1,229,393,305/day(2011 July Ave.)

.kr Registrant (DNS Operator) DNSSEC Overview .kr Registry User Recursive DNS .kr Registrant (DNS Operator) 34 Co. 2011, June : go.kr (signed) 2011, Sep. : .kr 2011, Oct. : 12 Zones 2011, Nov. : 16 Zones 2012, Mar. : co.kr the latter half 2012 DNSSEC Registrations Open the latter half 2011 DNSSEC cache servers run The latter half of 2011 DNSSEC Validation Plug-in(Pilot) KISA .kr Registrar ISP, Co., Gov.,

DNSSEC Status June 1st : go.kr signed NSEC3 (DS RR aren’t exist yet) ZSK Automated Rollover(BIND support) BIND version : above 9.6.0 Architecture Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) Simply, Unification DNSSEC Master & kr DNS Master is possible. We seperated them for esay recovery in case of DNSSEC service failure. * Architecture could be implemented as various forms according to the local environment & situation.

DNSSEC Status(Cont.) Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) All Zone Transfer : Once a day Working Hours : 130minutes, most for zone transfer(90minutes) Considering zone signing increase, improvement in zone transfer architecture should be considered Transfer to slave in brazil took the longest time. Dynamic update modification need : we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. We are seeking solutions to guarantee trust in D.U.

DNSSEC Plan 2011, Sep. : .kr 2011, Oct. : 12 zones(or.kr, ac.kr etc.) 2011, Nov. : 16 zones(seoul.kr, jeju.kr etc.) 2012, Mar. : co.kr(* biggest zone) *Except Registrants’(Domain Owners) dnssec adoption Registration system(possible after DB, EPP revision)

DNSSEC Plan(Cont.) HSM adoption(testing both server type and PCIe type) Duplication master kr DNS(should be done with Domain DB duplications * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)

Registration Open Preparations DS RR Verification Toolkit Check DS RR validity using user input data(DNSKEY RR, DS RR) Show the result “ok” JSP Java DNS API(DS Validation class, DS Record class, …) Check Input error Error exceptions

Registration Open Preparations DS RR Verification Toolkit

Registration Open Preparations EPP Modification DS RR infomation added DNSSEC related EPP Commands <secDNS:create>, <secDNS:add>, <secDNS:rem>, <secDNS:chg> New version RTK distribution

DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) DNSSEC Validation API Development dnsval-1.10 (for Linux & windows) Chrome , Firefox : Npruntime IE : ActiveX

DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot) Various Images help user understand the validation result much easier, straigter

DNSSEC Seminar For User understanding & publicity Planing three times this year 1th Seminar 2011/7/14, 13:00~18:00 Paticipants : 30(go, ac, re, ne, isp) Before/after Survey done(33people) 2th : Sep. 3th : Nov.

Considerations BIND new version comes so often (strength) (weakness) With new function added BIND has most function we need Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. (weakness) BIND security vulnerability comes often Recent one year, 10times reported (CVE-2011-0414, 1907, 1910,2464,2465, CVE-2010- 0218, 3762, 3614, 3615, 3613) Difficult in having full knowledge in administration & operation

Considerations Commercial Solution deployment Problem of selection between economy and convenience

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.