.uk DNSSEC Status update
-
Upload
deanna-juarez -
Category
Documents
-
view
28 -
download
0
description
Transcript of .uk DNSSEC Status update
![Page 1: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/1.jpg)
.uk DNSSEC Status update
02/05/2011
Brett Carr
![Page 2: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/2.jpg)
Introduction
• .uk DNSSEC
• September 2010 Issues
• SLD DNSSEC
• DNSSEC Signing Service.
![Page 3: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/3.jpg)
.uk DNSSEC
• .uk Signed March 2010
• Uses:OpendnssecCentosOracle HSM’sThree sets of identical hardware/software
• NSEC3 not needed but deployed.
• ZSK rolled every 6 months automatically
• KSK rolled every 3 years
• Low TTL on DNSKEYS to ensure rapid recovery from *issues*
![Page 4: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/4.jpg)
September 2010 Issue
• HSM Hardware failure caused OS crash
• HSM Locked on reboot
• System designed with no urgency to fix so wait
• Failover to backup system
• Opendnssec key db/config file inconsistency
• 2 Day TTL on DNSKEY caused slow recovery
What did we change/learn
• Don’t lock HSM’s on reboot add’s extra security but more complexity.
• Improved checking procedures for failover
• Reduce TTL on dnskey to 1 hour so recovery is quicker
![Page 5: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/5.jpg)
SLD DNSSEC
• Signing of:– me.uk
– co.uk
– ltd.uk
– plc.uk
– org.uk
– net.uk
– sch.uk
• Zones are very large and dynamically updated every minute.
• BIND 9.7.3 Continuous signing:Create the keys then add this to your configuration:auto-dnssec maintain;sig-validity-interval 35 28;
• Single Key (no KSK and ZSK) as we are the parent
• No scheduled rollover
• DS’s accepted from capable registrars 18 May
![Page 6: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/6.jpg)
DNSSEC Signing Service
• Encourage deployment of DNSSEC further.
• Registrar gives us unsigned zone (via notify and axfr)
• Nominet signing systems create a signed zone.
• Notify sent to customer DNS system for AXFR.
• For *.uk zones Nominet signing system inserts DS record into parent.
![Page 7: .uk DNSSEC Status update](https://reader036.fdocuments.net/reader036/viewer/2022071807/56812e08550346895d9373fe/html5/thumbnails/7.jpg)
Questions/Comments