1 / 10

OpenDNSSEC: Automated DNSSEC Deployment in NZ

OpenDNSSEC is a secure and easy-to-use tool for deploying DNSSEC in New Zealand. It offers automatic key generation, key rollover, and zone signing, along with auditing and support for various security algorithms. Education and pricing considerations are also addressed.

gracej
Download Presentation

OpenDNSSEC: Automated DNSSEC Deployment in NZ

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Andy Linton asjl@lpnz.org DNSSEC deployment in NZ

  2. http://www.opendnssec.org/

  3. The Features of OpenDNSSEC • No manual management is needed (after first configuration) • Works with all different versions of the Unix operating system • Multiple zones with shared or individual policies • Each policy specifies a set of key and signature settings • Handle zone sizes ranging from a few RRs to millions of RRs • Unsigned zone file in and signed zone file out. • Supports RSA/SHA1 signatures – ready for future algorithms (e.g.RSA/SHA2,GOST)

  4. The Features of OpenDNSSEC • Denial of existence using NSEC or NSEC3 • Automatic key generation in HSMs via the PKCS#11 interface • Option support for sharing keys between zones • Automatic key rollover • Possibility of manual key rollover (emergency key rollover) • Automatic zone signing using HSMs via the PKCS#11 interface • Auditing of the signing process and result • BSD license

  5. Issues that drive the policy • Cannot turn DNSSEC off (yet) • Keys - New, important things to manage • Expectations of security • Few properly understand DNSSEC • Introduces new costs

  6. Registrars • New obligations on registrars • Cannot go back once DNSSEC introduced • Cannot just restore a backup - more complex • Security standards for managing keys • If registrar holds private keys... • Do keys move with change of registrar? • Must registrar cooperate with key rollover? • Must keys be placed in escrow? • What if they won't cooperate? • How is registrar failure handled?

  7. Registrants • Once DNSSEC is enabled, things change • Cannot just change their mind • Restricted in registrars they can use/move to • If the registrant hold private keys • Must they go via registrar to send to registry? • Supports current model of many TLDs • Will registrar be the weakest link? • Can they send keys direct to registry? • That way keys can follow the registrant • Breaks current model of many TLDs • What happens if their keys are compromised?

  8. Technical Considerations • How often will TLD allow key rollovers in delegated domains? • Will TLD insist on: • Min/Max key size? • Min/Max signature lifetime? • KSK -> ZSK configuration? • Min/Max number of KSKs? • DNSSEC equivalent of lame delegations?

  9. Education • Whose responsibility? • Just education or promotion as well? • What resources do registrars need: • Off-the-shelf policies on key management, signatures etc? • List of supporting tools? • Support in existing toolkits? • Do we test registrar knowledge? • Special DNSSEC accreditation?

  10. Pricing • Undeniably means an increase in costs • How does this fit with cost recovery? • Policy adopted by many TLDs • Charge more? • Split out costs for those that use DNSSEC? • Charge the same? • Charge less? • Drive up adoption

More Related