dnssec sample implementation
Download
Skip this Video
Download Presentation
DNSSEC Sample Implementation

Loading in 2 Seconds...

play fullscreen
1 / 6

DNSSEC Sample Implementation - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

DNSSEC Sample Implementation. MENOG 10 Workshop 22 April 2012, Dubai [email protected] . Demo Implementation. Key lengths – KSK:2048 RSA ZSK:1024 RSA Rollover – KSK:as needed ZSK:90 days RSASHA256 NSEC3

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DNSSEC Sample Implementation' - bryce


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dnssec sample implementation

DNSSEC Sample Implementation

MENOG 10 Workshop

22 April 2012, Dubai

[email protected]

demo implementation
Demo Implementation
  • Key lengths – KSK:2048 RSA ZSK:1024 RSA
  • Rollover – KSK:as needed ZSK:90 days
  • RSASHA256 NSEC3
  • Physical – HSM/smartcards inside Safe inside Rack inside Cage inside Commercial Data Center
  • Logical – Separation of roles: cage access, safe combination, HSM/smartcard activation across three roles
  • Crypto – use FIPS certified smartcards as HSM and RNG
    • Generate KSK and ZSK offline using RNG
    • KSK use off-line
    • ZSK use off-net
off line key generator and ksk signer
Off-Line Key generator and KSK Signer

DATA CENTER

CAGE

RACK

smartcards

SAFE

KSK+RNG

Live O/S DVD

KSK+RNG

Flash Drive

KSK+RNG

reader

laptop

KSK signed DNSKEYs

Encrypted ZSKs

off net signer
Off-Net Signer

zonefile

DATA CENTER

CAGE

RACK

nameserver

nameserver

hidden master

nameserver

Flash Drive

hidden master

signer

KSK signed DNSKEYs

Encrypted ZSKs

firewall

key management
Key Management

Transport KSK signed DNSKEY RRsets

unsigned

zone

Sign ZSKs with KSK

Sign zones with ZSK

Offline Laptop

Online/off-net DNSSEC Signer

and Encrypted ZSKs

signed

zone

KSK

Generate ZSKs

Generate KSK

Secure Key Generation and Signing Environment

key management1
Key Management

Transport KSK signed DNSKEY RRsets

unsigned

zone

Sign ZSKs with KSK

Sign zones with ZSK

Offline Laptop

Online/off-net DNSSEC Signer

signed

zone

KSK

Transport public half of ZSKs

Generate KSK

ZSKs

Generate ZSKs

Secure Key Generation and Signing Environment

ad