Scribd Logo
Upload

Welcome to Scribd!

  • Dnssec For .Uk

    Uploaded by

    JennieAWalsh
    9 views11 pages
    DNSSEC and Signing .uk provides authentication and proof of authenticity for DNS responses. It introduces new DNS records like DNSKEY, RRSIG, NSEC and NSEC3. The current .uk infrastructure uses a hidden master zone that is transferred to a public master and other nameservers. opendnssec is a turnkey solution for signing zones that handles key generation and zone signing. The new .uk infrastructure will use opendnssec running on a hardware security module with the signed zone transferred to the public master and other nameservers. Signing large second level domains presents challenges due to their size, transfer restrictions, and dynamic updates.

    Original Description:

    fhsdj

    Original Title

    Dnssec for .Uk

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    DNSSEC and Signing .uk provides authentication and proof of authenticity for DNS responses. It introduces new DNS records like DNSKEY, RRSIG, NSEC and NSEC3. The current .uk infrastructure uses a hidden master zone that is transferred to a public master and other nameservers. opendnssec is a turnkey solution for signing zones that handles key generation and zone signing. The new .uk infrastructure will use opendnssec running on a hardware security module with the signed zone transferred to the public master and other nameservers. Signing large second level domains presents challenges due to their size, transfer restrictions, and dynamic updates.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    9 views11 pages

    Dnssec For .Uk

    Uploaded by

    JennieAWalsh
    DNSSEC and Signing .uk provides authentication and proof of authenticity for DNS responses. It introduces new DNS records like DNSKEY, RRSIG, NSEC and NSEC3. The current .uk infrastructure uses a hidden master zone that is transferred to a public master and other nameservers. opendnssec is a turnkey solution for signing zones that handles key generation and zone signing. The new .uk infrastructure will use opendnssec running on a hardware security module with the signed zone transferred to the public master and other nameservers. Signing large second level domains presents challenges due to their size, transfer restrictions, and dynamic updates.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 11

    DNSSEC and Signing .

    uk

    28/05/2009 Brett Carr

    Introduction
    DNSSEC Refresher Current .uk infrastructure Overview of opendnssec New .uk infrastructure Challenges in signing second level domains

    DNSSEC Refresher
    Provides authentication of DNS responses Provides proof of non existence New records DNSKEY Public Key RRSIG Signature of Resource Record Set NSECShows next record in zone NSEC3 Shows next record in zone (hashed) DS In parent, provides secure delegation. Howto (simplified) Create keys (dnssec-keygen) Sign zone (dnssec-signzone) Make keys available or Upload DS records to signed parent. Critical Keep private keys safe and secure. Consider and document keyrollover procedures Secure methods for talking to parents/children

    Current .uk infrastructure


    Hidden Master Zone under manual edit/control AXFR to public master (ns1.nic.uk) AXFR to other nameservers (ns2-7,a-d).nic.uk

    opendnssec
    Simple turnkey solution for dnssec Easy setup and configure Set Key and Security Policy (KASP): Key algorithim type Key Length Signature lifetime Keyrollover parameters Point it at your zonefile(s) Load the signed output into your nameserver Publish your key and/or upload DS to parent. Supports external HSMs with PKCS11 interface SoftHSM for testing/development included

    opendnssec

    opendnssec
    Developed by: NLNetlabs .SE Nominet Surfnet Kirei AB John Dickinson First beta release at IETF Stockholm in July http://www.opendnssec.se

    New .uk Infrastructure

    Hidden Master AXFR to Signer running opendnssec with HSM AXFR to public master (ns1.nic.uk) AXFR to other nameservers (ns2-7,a-d).nic.uk

    Other tasks

    Education and outreach to second level domains Publicise to internet community Check/change procedures related to information exchange Publish the public key(s) in IANA ITAR

    Second Level Domain Challenges

    Second level domains are MUCH larger uk 6 Kilobytes co.uk 400 Megabytes Second level domains are restricted from external AXFR Second level domains are updated using dynamic updates

    Size means opt-in (RFC5155) is a requirement AXFR Restriction means NSEC3 (RFC5155) is a requirement Dynamic updates mean that continous signing is a requirement Update to registry systems for DS records

    Questions/Comments

    You might also like