ION Toronto - Deploying DNSSEC: A .CA Case Study
Upcoming SlideShare
Loading in...5

ION Toronto - Deploying DNSSEC: A .CA Case Study



ION Toronto, 11 November 2013: CIRA has completed two phases of a three-phased approach to implement DNSSEC on the .CA country code Top Level Domain (ccTLD). First, they released a DNSSEC Practice ...

ION Toronto, 11 November 2013: CIRA has completed two phases of a three-phased approach to implement DNSSEC on the .CA country code Top Level Domain (ccTLD). First, they released a DNSSEC Practice Statement for comment, providing an operational outline of how CIRA plans to develop, maintain and manage DNSSEC deployment for .CA. Next, they held a key signing ceremony where they generated the cryptographic digital key that is used to secure the .CA zone. On January 21, 2013, CIRA published a signed .CA zone file, and on January 23, the .CA DS record was submitted to the Internet Assigned Numbers Authority (IANA). The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names. This work is expected to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names.

This session will explore CIRA’s technical solution for deploying DNSSEC support in the .CA registry. With our goal of making it easier for registrars, registrants and DNS operator to support any combination of DS and DNSKEY registration. We will take a quick look at our DNSSEC awareness strategy, the status/progress of .CA signed domains, and our lessons learned and challenges for increasing numbers of signed domain names.



Total Views
Views on SlideShare
Embed Views



3 Embeds 66 57 8 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

ION Toronto - Deploying DNSSEC: A .CA Case Study ION Toronto - Deploying DNSSEC: A .CA Case Study Presentation Transcript

  • Deploying DNSSEC: A .CA Case Study Canadian Internet Registration Authority (CIRA) Jacques Latour ION - Toronto November 14, 2011 1 ION - Toronto - 2011-11-14
  • About CIRA 1. Operate the .CA Top Level Domain Registry  Registrant  Registrar  Registry  .CA DNS 2. Operate the .CA Top Level Domain DNS  Root “.”  “.CA”  2nd Level .CA domains  Internet Users  ISP  “.CA” 3. Do good things for the Canadian Internet  2 Promote IXP development, adoption of IPv6 and DNSSEC ION - Toronto - 2011-11-14
  • DNSSEC @ .CA DNSSEC is a multi phase project • Phase 1 – Sign .CA (completed January 2013) – Dual in-line signer – works great! • Phase 2 – Implement DNSSEC support in the .CA registry – Current work in progress, planned for March 2014 • Phase 3 – Promote adoption of DNSSEC in Canada – .CA registrars, Internet service providers, enterprises – April 2014 and on-going 3 ION - Toronto - 2011-11-14
  • DNSSEC Signer & Validation 2.0/8.0 – DNSSEC Signer & Verification (Step 2) • Dual online signer sets located in different locations – Sign with Bind & OpenDNSSEC – Signed zone file validation – DR site always up to date [2.0] SIGNER - PRD 2.1 1-C (sticky) 2.5 DNSSEC Signer (ODS) 1-D (backup) 2.1-a Level 2 Validator 2.1-c HSM 2.3 2.1-b 2-a 2.2-c HSM 2.4 DNSSEC Signer (Bind) • Resilient solution 2.2-b Level 2 Validator 2.2-a 2.2 – 9 months in production – 8 ZSK rollover 2-a 2-b 2.6 [8.0] SIGNER - BAK 8.1 8.5 DNSSEC Signer (ODS) 8.1-a Level 2 Validator 8-a 8.1-c HSM 8.3 • 78 signed domains 8.2-c HSM 8.4 DNSSEC Signer (Bind) 8.2 4 ION - Toronto - 2011-11-14 8.1-b 8.2-b 8.2-a Level 2 Validator 8.6 8-b
  • DNSSEC in the .CA Registry • Primary objectives: Keep it simple for Registrars to work with .CA 5 ION - Toronto - 2011-11-14
  • Signing a 2nd Level Domain • DNS Operator is the entity operating the DNS server and generating DNSSEC material • In some instances, the DNS Operator is; – The Registrant when they operate their own DNS – The Registrar when offering services like hosted web services – The DNS service provider offering outsourced DNS services 6 ION - Toronto - 2011-11-14
  • Signing a 2nd Level Domain • DNS Operator is the entity operating the DNS server and generating DNSSEC material, a DNSKEY and/or DS record. 3556 IN DNSKEY 257 3 5 ( AwEAAaejF8WJSwiUBCvpxrVrD40O9xIKy0GGUs0pvcAE 2T8b2EsbmTnizimWygZ/BE0kCVViOVfW8JaxmwYwBPAD DuG2G23yHUJgfelW+7jM1L23VuqNc+It4z8fHse/g4sn NcZ/fjpSLAF0KMO95cUUzFKU6GTeFm+ebpxBvjQ+x21p TMJ8DWMAjbNRsaBS6yK2DVR3tQFkf9TrF7Rd4NiARG2n xkQ09JXS3+cv/kofRnxesV7unAc0nnw1aoeLDgGEj9+k u8Fu86hVGFq6HBgP+zrQCnTyspYk+d5OjQAzIPtB4G+X aWh/ZLfLwo9b7RFUT4c5fSxZLHYotHspCasS8gM= ) ; key id = 20878 86400 IN DS 20878 5 1 ( 7649DF86DCA9B6B234CBEB3C11E6F7CC38A0B6AA ) 7 DS goes in parent zone (.ca) ION - Toronto - 2011-11-14
  • DNSSEC in the .CA Registry • Accepting DNSSEC material from Registrants via the Registrars into the registry for inclusion in .CA zone file • EPP extensions for DNSSEC are defined in RFC5910. • Available March 2014 8 ION - Toronto - 2011-11-14
  • CIRA’s Implementation of DNSSEC RFC5910 Support DNSKEY and DS Interface There are two different forms of interfaces that a server can support. The first is called the "DS Data Interface", where the client is responsible for the creation of the DS information … The second is the "Key Data Interface,“ where the client is responsible for passing the key data information … CIRA • Support DS interface • Support DNSKEY interface • Support DS and DNSKEY 9 ION - Toronto - 2011-11-14
  • Some DNSSEC Parameters (reference only) • secDNS-1.1.xsd – RFC-5910 • Store a maximum of 6 DS and/or DNSKEY • Support of all 11 algorithms identified as valid Zone Signing algorithms (DSA, RSA, GOST, ECDSA, etc…) • Support of 4 algorithms when accepting DS data records (SHA1/256/384, GOST R 34.11-94) • When CIRA is given a DNSKEY record and generates the DS record, digest algorithm SHA-1 will be used. • Optional <secDNS:maxSigLife> element will NOT be supported • Optional attribute urgent will NOT be supported. • Whois will show the DNSSEC status (signed/unsigned) 10 ION - Toronto - 2011-11-14
  • DNSSEC Validation @ ISP • What is recursive DNSSEC validation? – The caching recursive name servers validates the DNSSEC signatures received for an answer with the domain’s DNSKEY keys. (and more) • 11 ION - Toronto - 2011-11-14
  • DNSSEC Enabled DNS Query (Highly simplified ) DNSSEC All DNSSEC enabled responses include DNSSEC signatures, that must be validated against the DNSKEY “.” ROOT Authoritative Servers DNSSEC Enabled Recursive Servers Cache Results (ISPs) “.ca” TLDs Internet User Authoritative Servers “” End-user application becoming DNSSEC Aware 12 DNS Operators Connect to 2001:500:80:2::12 ION - Toronto - 2011-11-14 Web Server
  • DNSSEC Validation @ ISP To enable DNSSEC validation at an ISP: • Ensure the DNS software on your caching recursive servers supports DNSSEC – Bind version 9.7 and up – Unbound version 1.4 and up – Microsoft DNS on Windows Server 2012 and up – Many other open source and commercial versions 13 ION - Toronto - 2011-11-14
  • DNSSEC Requirements @ ISP • Ensure that you’re running a recent/decent recursive DNS infrastructure – DNSSEC relies on public key cryptography – Did not find any research specifying exact hardware sizing requirements • Hardware • Bandwidth • Comcast: IPv6 and DNSSEC, ~10% increase in rDNS usage 14 ION - Toronto - 2011-11-14
  • DNSSEC Requirements @ ISP • May need to upgrade software / hardware to support validation • Need to support large UDP DNS responses up to 4K, UDP fragments • Need to support DNS over TCP • Configure your recursive with the IANA trust anchor • Negative trust anchor for broken sites (temporary measures) 15 ION - Toronto - 2011-11-14
  • Questions • If you want our DNSSEC Registrar specifications document, let me know, 40 pages of good stuff. • Please contact us @ CIRA if you have any questions 16 ION - Toronto - 2011-11-14