1 / 17

DNSSEC Update in .KR

< APTLD in BUSAN, 2011/08/25 >. DNSSEC Update in .KR. KISA Young-sun La rays@kisa.or.kr. Contents. Introduction .kr DNSSEC Overview Status Plan Registration Open Preparations Plug-in Pilot Seminar Considerations. Introduction. KISA roles Registry for .kr & . 한국 (IDN ccTLD)

nami
Download Presentation

DNSSEC Update in .KR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. < APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA Young-sun La rays@kisa.or.kr

  2. Contents • Introduction • .kr DNSSEC Overview • Status • Plan • Registration Open Preparations • Plug-in Pilot • Seminar • Considerations

  3. Introduction • KISA roles • Registryfor .kr & .한국(IDN ccTLD) • Thirtykr subdomain zone(ex, “co.kr” etc.) • Cooperation with Thirty fourRegistrars(domain registration & administration, Using EPP) • Operating Masterkr DNS • Fifteen slave DNS deployment & operation • 9 Sites in korea, 6 sites abroad • 12 sites controled by KISA, 3 sites controled by ISPs • Hosting RootDNS(F) Mirror • Hosting other ccTLDs DNS(German, Brazil, Sigapore, China) • KR domains: 1,094,609(2011 July) • DNS Query: 1,229,393,305/day(2011July Ave.)

  4. DNSSEC Overview • 2011, June: go.kr (signed) • 2011, Sep.: .kr • 2011, Oct. : 12 Zones • 2011, Nov. : 16 Zones • 2012, Mar. : co.kr The latter half of 2011 DNSSEC Validation Plug-in(Pilot) .kr Registry Recursive DNS .kr Registrar .kr Registrant(DNS Operator) User ISP, Co., Gov., KISA 34 Co. KISA the latter half 2011 DNSSECcache servers run the latter half 2012 DNSSEC Registrations Open

  5. DNSSEC Status • June1st : go.kr signed • NSEC3 (DS RR aren’t exist yet) • ZSK Automated Rollover(BIND support) • BIND version : above 9.6.0 • Architecture • Domain DB->DNSSEC Master(signer)-> kr DNS Master -> kr DNS Slaves(15sites) • Simply, Unification DNSSEC Master & kr DNS Master is possible. • We seperated them for esay recovery in case of DNSSEC service failure. • * Architecture could be implemented as various forms according to the local environment & situation.

  6. DNSSEC Status(Cont.) • Keeping Dynamic Update Service running(the most toughest job in deployment DNSSEC) • All Zone Transfer : Once a day • Working Hours : 130minutes, most for zone transfer(90minutes) • Considering zone signing increase, improvement in zone transfer architecture should be considered • Transfer to slave in brazil took the longest time. • Dynamic update modification need: we cover all zone transfer once a day in case of D.U. failure now, but if more zone adopt DNSSEC, It will be difficult to AXFR the whole zone every time. • We are seeking solutions to guarantee trust in D.U.

  7. DNSSEC Plan • 2011, Sep.: .kr • 2011, Oct. : 12 zones(or.kr, ac.kr etc.) • 2011, Nov. : 16 zones(seoul.kr, jeju.kr etc.) • 2012, Mar. : co.kr(* biggest zone) • *Except Registrants’(Domain Owners) dnssec adoption • Registration system(possible after DB, EPP revision)

  8. DNSSEC Plan(Cont.) • HSM adoption(testing both server type and PCIe type) • Duplication master kr DNS(should be done with Domain DB duplications • * experienced flooding and power cutage, about for 12hours, domain info modification service wasn’t possible(last month) • We are deploying DNS cache server(DNSSEC enabled)(70% done), for R&D • 2012~ : DNSSEC Domain Registration service open(DS RR could be stored in Registry, DB & EPP job should be done)

  9. Registration Open Preparations • DS RR Verification Toolkit • Check DS RR validity using user input data(DNSKEY RR, DS RR) • Show the result “ok” • JSP • Java DNS API(DS Validation class, DS Record class, …) • Check Input error • Error exceptions

  10. Registration Open Preparations • DS RR Verification Toolkit

  11. Registration Open Preparations • EPP Modification • DS RR infomation added • DNSSEC related EPP Commands • <secDNS:create>, <secDNS:add>, • <secDNS:rem>, <secDNS:chg> • New version RTK distribution

  12. DNSSEC Plug-in Pilot • DNSSEC Validator Plug-In Dev.(Pilot) • DNSSEC Validation API Development • dnsval-1.10 (for Linux & windows) • Chrome , Firefox : Npruntime • IE : ActiveX

  13. DNSSEC Plug-in Pilot • DNSSEC Validator Plug-In Dev.(Pilot) • Various Images help user understand the validation result much easier, straigter

  14. DNSSEC Seminar • For User understanding & publicity • Planing three times this year • 1th Seminar • 2011/7/14, 13:00~18:00 • Paticipants : 30(go, ac, re, ne, isp) • Before/after Survey done(33people) • 2th : Sep. • 3th : Nov.

  15. Considerations • BIND new version comes so often • (strength) • With new function added • BIND has most function we need • Without ZKT, OpenDNSSEC, DNSSEC-TOOLS etc. • (weakness) • BIND security vulnerability comes often • Recent one year, 10times reported (CVE-2011-0414, 1907, 1910,2464,2465, CVE-2010- 0218, 3762, 3614, 3615, 3613) • Difficult in having full knowledge in administration & operation

  16. Considerations • Commercial Solution deployment • Problem of selection between economy and convenience

  17. Thank you

More Related