Presentation is loading. Please wait.

Presentation is loading. Please wait.

.uk DNSSEC Status update

Published byAlina Graziani Modified over 5 years ago

Similar presentations

Presentation on theme: ".uk DNSSEC Status update"— Presentation transcript:

1 .uk DNSSEC Status update
02/05/2011 Brett Carr

2 Introduction .uk DNSSEC September 2010 Issues SLD DNSSEC
DNSSEC Signing Service.

3 .uk DNSSEC .uk Signed March 2010
Uses: Opendnssec Centos Oracle HSM’s Three sets of identical hardware/software NSEC3 not needed but deployed. ZSK rolled every 6 months automatically KSK rolled every 3 years Low TTL on DNSKEYS to ensure rapid recovery from *issues*

4 What did we change/learn
September 2010 Issue HSM Hardware failure caused OS crash HSM Locked on reboot System designed with no urgency to fix so wait Failover to backup system Opendnssec key db/config file inconsistency 2 Day TTL on DNSKEY caused slow recovery What did we change/learn Don’t lock HSM’s on reboot add’s extra security but more complexity. Improved checking procedures for failover Reduce TTL on dnskey to 1 hour so recovery is quicker

5 SLD DNSSEC Signing of: me.uk co.uk ltd.uk plc.uk org.uk net.uk sch.uk Zones are very large and dynamically updated every minute. BIND Continuous signing: Create the keys then add this to your configuration: auto-dnssec maintain; sig-validity-interval 35 28; Single Key (no KSK and ZSK) as we are the parent No scheduled rollover DS’s accepted from capable registrars 18 May

6 DNSSEC Signing Service
Encourage deployment of DNSSEC further. Registrar gives us unsigned zone (via notify and axfr) Nominet signing systems create a signed zone. Notify sent to customer DNS system for AXFR. For *.uk zones Nominet signing system inserts DS record into parent.

7 Questions/Comments

Download ppt ".uk DNSSEC Status update"

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA

< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.

(1) Introduction to Continuous Integration Philip Johnson Collaborative Software Development Laboratory Information and Computer Sciences University of.
Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Similar presentations

Ads by Google