1 / 10

Signing . si Before and After

Signing . si Before and After. benjamin.zwittnig@ register .si. Before D NSSEC validation Preparing for signing Signing . si After Adapting registry system Raising DNSSEC awareness. Before. Low interest for DNSSEC Dnssec validation on recursive nameservers We have learned that

brigit
Download Presentation

Signing . si Before and After

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signing .siBefore and After benjamin.zwittnig@register.si

  2. Before • DNSSECvalidation • Preparingforsigning • Signing .si • After • Adapting registry system • Raising DNSSEC awareness

  3. Before • Low interest for DNSSEC • Dnssecvalidation on recursivenameservers • We have learned that • Some domains were not resolved any more • No reported problem regarding CPEs • Traffic increase was not significant • Load increase was not significant • Around 40% queries with DO bit • Reply lengths are (still) mainly under 512 bytes

  4. Before • Preparation for signing • DNSSEC testbed • A lot of documentation • Testing (hardware, software, rollovers…) • Backup location • Monitoring • Sanity checks before publishing a signed zone • Nagios for nameservers and DNSSEC (RRSIG validity, chain of trust..), RIPE’s DNSMON • DSC, cacti

  5. Signing .si • OpenDNSSEC • HSM Sun/Oracle sca6000 for KSKs • SoftHSM for ZSKs • Keys • Algorithm 8 (RSASHA256) • NSEC3 with OptOut • KSK • Size 2048b • lifetime 1year • ZSK • Size 1024b • lifetime 30days • RRSIG • lifetime 14 days

  6. Signing .si • 30th of Nov 2011 • 13:00 Key Generation Ceremony • 17:00 First signed version of .si zone was published • 23th of Dec 2011 • DS record for .si was added to root zone

  7. After • No problems detected • Increase of traffic on a nameserver we are running for .si • Increase of DS lookups (expected)

  8. After • Almost no interest for DNSSEC • Governmental institutions • Banks • Two registrars • At the moment only few delegations signed (~ 20)

  9. After • We need to adapt our registry system for DNSSEC • Signing zones we are operating as a registrar • in-addr.arpa, ip6.arpa • Zones we are hosting • We need to raise DNSSEC awareness • Resolver operators to turn on DNSSEC validation • Hosting providers to start signing their domains • Registrars to publish DS records • Trainings • Signing service?

  10. Questions?

More Related