1 / 6

DNSSEC Sample Implementation

DNSSEC Sample Implementation. MENOG 10 Workshop 22 April 2012, Dubai richard.lamb@icann.org . Demo Implementation. Key lengths – KSK:2048 RSA ZSK:1024 RSA Rollover – KSK:as needed ZSK:90 days RSASHA256 NSEC3

bryce
Download Presentation

DNSSEC Sample Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai richard.lamb@icann.org

  2. Demo Implementation • Key lengths – KSK:2048 RSA ZSK:1024 RSA • Rollover – KSK:as needed ZSK:90 days • RSASHA256 NSEC3 • Physical – HSM/smartcards inside Safe inside Rack inside Cage inside Commercial Data Center • Logical – Separation of roles: cage access, safe combination, HSM/smartcard activation across three roles • Crypto – use FIPS certified smartcards as HSM and RNG • Generate KSK and ZSK offline using RNG • KSK use off-line • ZSK use off-net

  3. Off-Line Key generator and KSK Signer DATA CENTER CAGE RACK smartcards SAFE KSK+RNG Live O/S DVD KSK+RNG Flash Drive KSK+RNG reader laptop KSK signed DNSKEYs Encrypted ZSKs

  4. Off-Net Signer zonefile DATA CENTER CAGE RACK nameserver nameserver hidden master nameserver Flash Drive hidden master signer KSK signed DNSKEYs Encrypted ZSKs firewall

  5. Key Management Transport KSK signed DNSKEY RRsets unsigned zone Sign ZSKs with KSK Sign zones with ZSK Offline Laptop Online/off-net DNSSEC Signer and Encrypted ZSKs signed zone KSK Generate ZSKs Generate KSK Secure Key Generation and Signing Environment

  6. Key Management Transport KSK signed DNSKEY RRsets unsigned zone Sign ZSKs with KSK Sign zones with ZSK Offline Laptop Online/off-net DNSSEC Signer signed zone KSK Transport public half of ZSKs Generate KSK ZSKs Generate ZSKs Secure Key Generation and Signing Environment

More Related