1 / 7

.uk DNSSEC Status update

.uk DNSSEC Status update. 02/05/2011 Brett Carr. Introduction. .uk DNSSEC September 2010 Issues SLD DNSSEC DNSSEC Signing Service. .uk DNSSEC. .uk Signed March 2010 Uses: Opendnssec Centos Oracle HSM’s Three sets of identical hardware/software NSEC3 not needed but deployed.

trella
Download Presentation

.uk DNSSEC Status update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. .uk DNSSEC Status update 02/05/2011 Brett Carr

  2. Introduction • .uk DNSSEC • September 2010 Issues • SLD DNSSEC • DNSSEC Signing Service.

  3. .uk DNSSEC • .uk Signed March 2010 • Uses: Opendnssec Centos Oracle HSM’s Three sets of identical hardware/software • NSEC3 not needed but deployed. • ZSK rolled every 6 months automatically • KSK rolled every 3 years • Low TTL on DNSKEYS to ensure rapid recovery from *issues*

  4. September 2010 Issue • HSM Hardware failure caused OS crash • HSM Locked on reboot • System designed with no urgency to fix so wait • Failover to backup system • Opendnssec key db/config file inconsistency • 2 Day TTL on DNSKEY caused slow recovery What did we change/learn • Don’t lock HSM’s on reboot add’s extra security but more complexity. • Improved checking procedures for failover • Reduce TTL on dnskey to 1 hour so recovery is quicker

  5. SLD DNSSEC • Signing of: • me.uk • co.uk • ltd.uk • plc.uk • org.uk • net.uk • sch.uk • Zones are very large and dynamically updated every minute. • BIND 9.7.3 Continuous signing:Create the keys then add this to your configuration:auto-dnssec maintain;sig-validity-interval 35 28; • Single Key (no KSK and ZSK) as we are the parent • No scheduled rollover • DS’s accepted from capable registrars 18 May

  6. DNSSEC Signing Service • Encourage deployment of DNSSEC further. • Registrar gives us unsigned zone (via notify and axfr) • Nominet signing systems create a signed zone. • Notify sent to customer DNS system for AXFR. • For *.uk zones Nominet signing system inserts DS record into parent.

  7. Questions/Comments

More Related