Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
WSUS Presented by: Nada Abdullah Ahmed.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
Aristotle Balogh February 2000 NSI Registry Update NANOG 18, San Jose, California Aristotle Balogh February 6, 2000.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Module 8: Designing Active Directory Disaster Recovery in Windows Server 2008.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.
IIT Indore © Neminath Hubballi
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
How to publish your app 1 CS440. Step 1: Remove any debug logging  Good practice: comment out any debug logging  Why? CS440 2.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
Kenya Network Information Centre (KENIC). Introduction KENIC is the registry for the.KE ccTLD. Local and non-profit organization Mandate is to Manage.
Module 1: Configuring Windows Server Module Overview Describe Windows Server 2008 roles Describe Windows Server 2008 features Describe Windows Server.
DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,
DNSSEC deployment in NZ Andy Linton
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
Architecture and ATLAS Western Tier 2 Wei Yang ATLAS Western Tier 2 User Forum meeting SLAC April
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Usage of virtualization in gLite certification Andreas Unterkircher.
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
Linux Operations and Administration
Registry Functions Essential components for operating a ccTLD registry.
What if Everyone Did It? Geoff Huston APNIC Labs.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Web Server Administration Chapter 4 Name Resolution.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Institute for the Protection and Security of the Citizen HAZAS – Hazard Assessment ECCAIRS Technical Course Provided by the Joint Research Centre - Ispra.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Workshop Overview & Registry Model Model by Jaap Akkerhuis Related by Daniel Karrenberg.
Simulation Production System Science Advisory Committee Meeting UW-Madison March 1 st -2 nd 2007 Juan Carlos Díaz Vélez.
Distributed Storage Middleware To build a distributed web storage service for small files; To provides RESTFUL interface to access files and directories.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.
1 FRED – open source registry system CZ.NIC, z.s.p.o. Jaromír Talíř
So You Inherited a DNS Server…
Database backed DNS.
Authors: Sajjad Rizvi, Xi Li, Bernard Wong, Fiodar Kazhamiaka
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
Cloud based Open Source Backup/Restore Tool
draft-zhang-dnsext-test-result-00
DNSSEC Status Update in UA
Student Information System Business Support Office
Presentation transcript:

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation

.th System Architecture

KeyStore Admin Tool Key parameters for the zone  Key Usage, KSK/ZSK  Key Algorithm, RSA-SHA1/RSA-SHA256  Key Length, 2048/1024 bits  Key Reference Location Keys generation Tool  Key gen. for multiple zones  Key gen. for a zone  Rollover Key gen. for multiple zones  Rollover Key gen. for a zones  Rollover Key deletion

Private Key Private Key store in the.private file  Tracking by KeyStore Admin Tool Reference Location Timestamp  Non Active Key are store in separate directory Public Key store in the.key file and in the KeyStore for easy access  Accessible by KeyStore Admin Tool Reference Location Key content Timestamp  Non Active Key are store in separate directory

Zone Builder Tool Run by Cron job Put DNSKEY and DS records into the zone  Only active keys will be put into the zone. Auto update the serial no. Legacy zone content is included.  The content that is operated by hand.

Zone Signer Run by Zone Builder Tool Sign the zone by corresponding keys  Read signing parameter from KeyStore  Sign zone using BIND’s dnssec-signzone  Sign multiple keys for key rollover when needed

Zone Transfer Signed zones will be loaded into local Nameserver By using the DNS Zone transfer mechanism with TSIG setup, The zone will be transferred to the Outbound Nameserver before transferring to the Primary Nameserver Then will be distributed to the authoritative servers

DS & DNSKEY Tool Client Domain need to send in their keyset (public key)  via. and (in the future, web interface) Registration staff then will verify the key and then run the tool to convert the key to DS records The tool will automatic store DS records to the zone Database For the legacy client, to run the tool, the staff need to create a Keyset file and put the result (DS records) to the zone by hand.

Sign.th zone Experimental Signer box Setup  Intel Quad Core Xeon X GHz  Ram 2GB  OS FreeBSD 6.4-RELEASE  BIND P1.th zones  1 tld, “th”  7 sld, “ac.th”, “co.th”, “go.th”, “in.th”, “mi.th”, “net.th”, “or.th” Key Size  KSK algorithm RSA-SHA bits  ZSK algorithm RSA-SHA bits

Sign.th zone Experimental Sign zone with no DS record ZoneRegistered domains Zone size (K) Time taken (s) Unsigned zoneSigned zone th16, , ac.th5, , co.th34,4121,80710, go.th4, , in.th9, , mi.th net.th or.th

Things To Do Registry-Registrar-Reseller DNSSEC add-on API.  To enable DNSSEC registration  To handle keyset submission  Provide publickey information to the world ….

Krit Witwiyaruj Thai Name Server Co., Ltd Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.