Presentation is loading. Please wait.

Presentation is loading. Please wait.

< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA

Published byAndre Norden Modified over 10 years ago

Similar presentations

Presentation on theme: "< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA"— Presentation transcript:

1 KISA Young-sun La rays@kisa.or.kr
< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA Young-sun La

2 Contents Introduction .kr DNSSEC Overview Status Plan
Registration Open Preparations Plug-in Pilot Seminar Considerations

3 Introduction KISA roles Registry for .kr & .한국(IDN ccTLD)
Thirty kr subdomain zone(ex, “co.kr” etc.) Cooperation with Thirty four Registrars(domain registration & administration, Using EPP) Operating Master kr DNS Fifteen slave DNS deployment & operation 9 Sites in korea, 6 sites abroad 12 sites controled by KISA, 3 sites controled by ISPs Hosting Root DNS(F) Mirror Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) KR domains : 1,094,609(2011 July) DNS Query : 1,229,393,305/day(2011 July Ave.)

4 .kr Registrant (DNS Operator)
DNSSEC Overview .kr Registry User Recursive DNS .kr Registrant (DNS Operator) 34 Co. 2011, June : go.kr (signed) 2011, Sep. : .kr 2011, Oct. : 12 Zones 2011, Nov. : 16 Zones 2012, Mar. : co.kr the latter half 2012 DNSSEC Registrations Open the latter half 2011 DNSSEC cache servers run The latter half of 2011 DNSSEC Validation Plug-in(Pilot) KISA .kr Registrar ISP, Co., Gov.,

5 DNSSEC Status June 1st : go.kr signed NSEC3 (DS RR aren’t exist yet)
ZSK Automated Rollover(BIND support) BIND version : above 9.6.0 Architecture Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) Simply, Unification DNSSEC Master & kr DNS Master is possible. We seperated them for esay recovery in case of DNSSEC service failure. * Architecture could be implemented as various forms according to the local environment & situation.

6 DNSSEC Status(Cont.) Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) All Zone Transfer : Once a day Working Hours : 130minutes, most for zone transfer(90minutes) Considering zone signing increase, improvement in zone transfer architecture should be considered Transfer to slave in brazil took the longest time. Dynamic update modification need : we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. We are seeking solutions to guarantee trust in D.U.

7 DNSSEC Plan 2011, Sep. : .kr 2011, Oct. : 12 zones(or.kr, ac.kr etc.)
2011, Nov. : 16 zones(seoul.kr, jeju.kr etc.) 2012, Mar. : co.kr(* biggest zone) *Except Registrants’(Domain Owners) dnssec adoption Registration system(possible after DB, EPP revision)

8 DNSSEC Plan(Cont.) HSM adoption(testing both server type and PCIe type) Duplication master kr DNS(should be done with Domain DB duplications * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)

9 Registration Open Preparations
DS RR Verification Toolkit Check DS RR validity using user input data(DNSKEY RR, DS RR) Show the result “ok” JSP Java DNS API(DS Validation class, DS Record class, …) Check Input error Error exceptions

10 Registration Open Preparations
DS RR Verification Toolkit

11 Registration Open Preparations
EPP Modification DS RR infomation added DNSSEC related EPP Commands <secDNS:create>, <secDNS:add>, <secDNS:rem>, <secDNS:chg> New version RTK distribution

12 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot)
DNSSEC Validation API Development dnsval-1.10 (for Linux & windows) Chrome , Firefox : Npruntime IE : ActiveX

13 DNSSEC Plug-in Pilot DNSSEC Validator Plug-In Dev.(Pilot)
Various Images help user understand the validation result much easier, straigter

14 DNSSEC Seminar For User understanding & publicity
Planing three times this year 1th Seminar 2011/7/14, 13:00~18:00 Paticipants : 30(go, ac, re, ne, isp) Before/after Survey done(33people) 2th : Sep. 3th : Nov.

15 Considerations BIND new version comes so often (strength) (weakness)
With new function added BIND has most function we need Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. (weakness) BIND security vulnerability comes often Recent one year, 10times reported (CVE , 1907, 1910,2464,2465, CVE , 3762, 3614, 3615, 3613) Difficult in having full knowledge in administration & operation

16 Considerations Commercial Solution deployment
Problem of selection between economy and convenience

17 Thank you

Download ppt "< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA"

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Korea Network Information Center APOPS KIOW 2002 - Korea Internet Operation Workshop - Billy MH Cheon : February, 2003.

Korea Network Information Center APOPS KIOW Korea Internet Operation Workshop - Billy MH Cheon : February, 2003.
…to Ontology Repositories Mathieu dAquin Knowledge Media Institute, The Open University From…

…to Ontology Repositories Mathieu dAquin Knowledge Media Institute, The Open University From…
Deploying IPv6: The time is now Are you ready? SFTA 24 May 2012 John Curran President and CEO, ARIN.

Deploying IPv6: The time is now Are you ready? SFTA 24 May 2012 John Curran President and CEO, ARIN.
Scope and method of pilot survey in China Yang kuan kuan Deputy director-general of office on Leading group of the Second National Economic Census under.

Scope and method of pilot survey in China Yang kuan kuan Deputy director-general of office on Leading group of the Second National Economic Census under.
IDN Variant Issues Project (VIP) Project Update and Next Steps 11 April 2012.

IDN Variant Issues Project (VIP) Project Update and Next Steps 11 April 2012.
1 Copyright © 2005, Oracle. All rights reserved. Introduction.

1 Copyright © 2005, Oracle. All rights reserved. Introduction.
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
GridPP7 - 02 July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.

GridPP July 2003Stefan StonjekSlide 1 SAM middleware components Stefan Stonjek University of Oxford 7 th GridPP Meeting 02 nd July 2003 Oxford.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
.TN ccTLD Overview ISOC ccTLD Workshop – Jordan Tunisian Internet Agency Makram BENHAMED

.TN ccTLD Overview ISOC ccTLD Workshop – Jordan Tunisian Internet Agency Makram BENHAMED

Similar presentations

Ads by Google