170 likes | 302 Views
< APTLD in BUSAN, 2011/08/25 >. DNSSEC Update in .KR. KISA Young-sun La rays@kisa.or.kr. Contents. Introduction .kr DNSSEC Overview Status Plan Registration Open Preparations Plug-in Pilot Seminar Considerations. Introduction. KISA roles Registry for .kr & . 한국 (IDN ccTLD)
E N D
< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA Young-sun La rays@kisa.or.kr
Contents • Introduction • .kr DNSSEC Overview • Status • Plan • Registration Open Preparations • Plug-in Pilot • Seminar • Considerations
Introduction • KISA roles • Registryfor .kr & .한국(IDN ccTLD) • Thirtykr subdomain zone(ex, “co.kr” etc.) • Cooperation with Thirty fourRegistrars(domain registration & administration, Using EPP) • Operating Masterkr DNS • Fifteen slave DNS deployment & operation • 9 Sites in korea, 6 sites abroad • 12 sites controled by KISA, 3 sites controled by ISPs • Hosting RootDNS(F) Mirror • Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) • KR domains: 1,094,609(2011 July) • DNS Query: 1,229,393,305/day(2011July Ave.)
DNSSEC Overview • 2011, June: go.kr (signed) • 2011, Sep.: .kr • 2011, Oct. : 12 Zones • 2011, Nov. : 16 Zones • 2012, Mar. : co.kr The latter half of 2011 DNSSEC Validation Plug-in(Pilot) .kr Registry Recursive DNS .kr Registrar .kr Registrant(DNS Operator) User ISP, Co., Gov., KISA 34 Co. KISA the latter half 2011 DNSSECcache servers run the latter half 2012 DNSSEC Registrations Open
DNSSEC Status • June1st : go.kr signed • NSEC3 (DS RR aren’t exist yet) • ZSK Automated Rollover(BIND support) • BIND version : above 9.6.0 • Architecture • Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) • Simply, Unification DNSSEC Master & kr DNS Master is possible. • We seperated them for esay recovery in case of DNSSEC service failure. • * Architecture could be implemented as various forms according to the local environment & situation.
DNSSEC Status(Cont.) • Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) • All Zone Transfer : Once a day • Working Hours : 130minutes, most for zone transfer(90minutes) • Considering zone signing increase, improvement in zone transfer architecture should be considered • Transfer to slave in brazil took the longest time. • Dynamic update modification need: we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. • We are seeking solutions to guarantee trust in D.U.
DNSSEC Plan • 2011, Sep.: .kr • 2011, Oct. : 12 zones(or.kr, ac.kr etc.) • 2011, Nov. : 16 zones(seoul.kr, jeju.kr etc.) • 2012, Mar. : co.kr(* biggest zone) • *Except Registrants’(Domain Owners) dnssec adoption • Registration system(possible after DB, EPP revision)
DNSSEC Plan(Cont.) • HSM adoption(testing both server type and PCIe type) • Duplication master kr DNS(should be done with Domain DB duplications • * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) • We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D • 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)
Registration Open Preparations • DS RR Verification Toolkit • Check DS RR validity using user input data(DNSKEY RR, DS RR) • Show the result “ok” • JSP • Java DNS API(DS Validation class, DS Record class, …) • Check Input error • Error exceptions
Registration Open Preparations • DS RR Verification Toolkit
Registration Open Preparations • EPP Modification • DS RR infomation added • DNSSEC related EPP Commands • <secDNS:create>, <secDNS:add>, • <secDNS:rem>, <secDNS:chg> • New version RTK distribution
DNSSEC Plug-in Pilot • DNSSEC Validator Plug-In Dev.(Pilot) • DNSSEC Validation API Development • dnsval-1.10 (for Linux & windows) • Chrome , Firefox : Npruntime • IE : ActiveX
DNSSEC Plug-in Pilot • DNSSEC Validator Plug-In Dev.(Pilot) • Various Images help user understand the validation result much easier, straigter
DNSSEC Seminar • For User understanding & publicity • Planing three times this year • 1th Seminar • 2011/7/14, 13:00~18:00 • Paticipants : 30(go, ac, re, ne, isp) • Before/after Survey done(33people) • 2th : Sep. • 3th : Nov.
Considerations • BIND new version comes so often • (strength) • With new function added • BIND has most function we need • Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. • (weakness) • BIND security vulnerability comes often • Recent one year, 10times reported (CVE-2011-0414, 1907, 1910,2464,2465, CVE-2010- 0218, 3762, 3614, 3615, 3613) • Difficult in having full knowledge in administration & operation
Considerations • Commercial Solution deployment • Problem of selection between economy and convenience