1 / 5

DNSSEC @ LKNIC Updates

This article discusses the history and testing process of DNSSEC implementation, key rollover procedures, and the challenges faced. It also explores the issues related to algorithm rollover, NSEC3 implementation, and client awareness of DNSSEC usefulness.

therman
Download Presentation

DNSSEC @ LKNIC Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chamara Disanayake Manager – Engineering LKNIC DNSSEC @ LKNICUpdates

  2. History Testing started in late 2009 With a testbed Generated the KSKs and ZSK at Key Generation Ceremony in June 2010 Used NSEC Validity period of ZSK as 3 months All 3 ccTLDs were officially signed in 15th July 2010 DS records were submitted to IANA

  3. Key Rollover Key rollover for ZSK New ZSK generated in 1st of October Included in the Zone and signed with Old ZSK After TTL removed the old ZSK and signing started with new ZSK Algorithm Rollover Need to change the algorithm to NSEC → NSEC3 Need to stop ZONE Walking and apply optout Use advanced features in NSEC3 Testing started Issue with the mechanism

  4. Experiences and Issues Around 50% of the clients do NOT have NS records They have RRs Around 1,00,000 SIGNED records in the .lk Zone file Take ~240 Seconds to Sign .lk zone Less DS records Clients are not very much aware of the usefulness of the DNSSEC Less motivation Need more technical experience and knowledge

  5. Thank You!!!

More Related