Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda DNSSEC automation overview How to implement it in FRED

Published byMartin Young Modified over 6 years ago

Similar presentations

Presentation on theme: "Agenda DNSSEC automation overview How to implement it in FRED"— Presentation transcript:

1 Agenda DNSSEC automation overview How to implement it in FRED
Obstacles Future

2 DNSSEC automation DNSSEC brought slightly more effort for sysadmins
Re-signing because of expiring signatures Rolling keys as a good security practice For wide DNSSEC adoption, good tool is necessity! OpenDNSSEC Bind inline signing KnotDNS automated signing

3 DNSSEC automation Still KSK rollover is generally manual effort with registrar cooperation Log in to registrar, fill the form with new key After some time log in again and remove old key RFC Automating DNSSEC Delegation Trust Maintenance – Sep 2014 Publishing new keys as CDS/CDNSKEY resource records Responsible entity will do update based on verified DNSSEC response

4 DNSSEC automation How is RFC 7344 supported in tools?
OpenDNSSEC-CDS (branch, last commit 2013) KnotDNS – expected early in 2017 Bind 9.11 – released (month ago!) New automation tool dnssec-keymgr Supposed to have full CDS/CDNSKEY support At the end, only partially supported (not in dnssec-keymgr but only in dnssec-settime) Bind 9.11 is usable with some tweaks

5 FRED Open source registry - https://fred.nic.cz
Developed by CZ.NIC since 2006 Used for E164.ARPA, CZ, CO.CZ, IT.AO, CO.AO, TZ, FO, CR, AL, MK News in 2016 Deployment in MW (Malawi) and AR (Argentina) RDAP implementation (RDAP for CZ still single in IANA registry

6 FRED & DNSSEC Support for key sharing by introducing KeySet as first class object: Collection of DNSKEY resource records EPP extension for registrars Dedicated registrar Associated technical contacts Registrars doesn’t upload DS but DNSKEY

7 FRED & DNSSEC automation
Prototype automation script to be invoked regularly via cron Using fred-client python library & dnspython Get CDNSKEY via DNSSEC validating resolver Call update_keyset via EPP Deployment scenarios Registry modifies objects of registrars Registrars will deploy this service Registry will be the registrar for keysets

8 Registry modifies objects of registrars
Registration rules say the data of domains, contacts, nssets and keysets are changed only via registrars Explicit exceptions for implementation of court decisions and optimization purposes May be changed, but it’s a long term process

9 Registrars will deploy this service
Registrars could do it already… if the knew Topic scheduled for next regular meeting Informal discussions with a few show some support Competitive advantage?

10 Registry will be the registrar for keysets
Solution supported by architecture We have done it already Our identity service mojeID is nothing more than registrar for validated contacts Operational cost is minimized by automation Still there is bootstrap issue – currently only registrar of domain may associate domain with keyset

11 Obstacles Shared KeySets Wait until all domains has the same CDNSKEY
Configuration of signaling domain – do changes when this domain has new CDNSKEY Bootstrap Registrants must create initial KeySet manually Timing Anytime in between zone file generation (1/2h)

12 Future Currently all three scenarios looks viable (may change)
Internal prototype is almost finished Some issues may be resolved by implementation of draft-latour-dnsoperator-to-rrr-protocol

13 Thank You Jaromir Talir •

Download ppt "Agenda DNSSEC automation overview How to implement it in FRED"

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker 2012 Oct.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Securing the Government’s DNS Infrastructure with DNSSEC

Securing the Government’s DNS Infrastructure with DNSSEC
1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.
IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.

IANA Activities Update Jean-Jacques Sahel | RIPE 70 Amsterdam| 15 May 2015.
© 2006, Cognizant Technology Solutions. All Rights Reserved. The information contained herein is subject to change without notice. Automation – How to.

© 2006, Cognizant Technology Solutions. All Rights Reserved. The information contained herein is subject to change without notice. Automation – How to.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
IANA Activities Update Naela Sarras | ARIN 35 San Francisco | 14 April 2015.

IANA Activities Update Naela Sarras | ARIN 35 San Francisco | 14 April 2015.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton

Similar presentations

Ads by Google