DNSSEC.UA:ZERO TO LIVEIN 6 MONTHSHostmaster LtdSeptember 11th 2012Budva, Montenegro1
Prehistory - UA.UA• Start: November 8th 2011 - Key Signing Keygenerated at Fourth IPv6 Workshop in Kyiv• Zone UA.UA signed...
DNSSEC Testbed• Copy of production environment:• BIND 9.8 (then latest release)• some shell and Makefile magic• FreeBSD wit...
Key Generation Ceremony• Hold on December 2nd, 2011 - UA anniversary, atUAdom conference in Kyiv• Scripted, rehearsed, rec...
Signed Cloned Zone• Anycast server ho1.ua.ua• 195.47.253.17 and 2001:67c:258::17• Test trust anchor (and KSK):ua. IN DS 29...
Public Validating Resolver• Announced February 7th, 2012 at Fifth IPv6 Workshopin Kyiv• Code named “Lighthouse” -- lh.cctl...
Live Deployment• Planned at ICANN meeting (witness Steve Crocker onMarch 14th, 2012)• KSK in UA - March 27th• DS in Root Z...
Key rollover schedule• KSK, made in Ukraine, December 2nd, 2011• Old ZSK schedule - key made weekly, everyWednesday, key l...
Some statistics9
Questions?www.hostmaster.ua/dnssecinfo@hostmaster.ua
Upcoming SlideShare
Loading in …5
×

DNSSEC.UA - for Budva 2012

129 views
109 views

Published on

Update to ICANN 44 presentation - Budva, ME (ccTLD.RU conference)

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
129
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

DNSSEC.UA - for Budva 2012

  1. 1. DNSSEC.UA:ZERO TO LIVEIN 6 MONTHSHostmaster LtdSeptember 11th 2012Budva, Montenegro1
  2. 2. Prehistory - UA.UA• Start: November 8th 2011 - Key Signing Keygenerated at Fourth IPv6 Workshop in Kyiv• Zone UA.UA signed, keys published inDLV.ISC.ORG• UA zone updated with DS record for ua.ua• Test web site http://ua.ua/ (test by Firefox plugin)2
  3. 3. DNSSEC Testbed• Copy of production environment:• BIND 9.8 (then latest release)• some shell and Makefile magic• FreeBSD with jails• rsync over ssh, md5 checksums3
  4. 4. Key Generation Ceremony• Hold on December 2nd, 2011 - UA anniversary, atUAdom conference in Kyiv• Scripted, rehearsed, recorded on video• Key parameters - RSASHA512 (10), 2048 bits• Key lifetime - not set, tentative three years4
  5. 5. Signed Cloned Zone• Anycast server ho1.ua.ua• 195.47.253.17 and 2001:67c:258::17• Test trust anchor (and KSK):ua. IN DS 29019 10 268B5F97978F45398C9C0382161701EA3AB4A882011DCAA4F5188800D D58FE2AD• Not a production zone, use as your own risk (but alldelegated NS records are the same)5
  6. 6. Public Validating Resolver• Announced February 7th, 2012 at Fifth IPv6 Workshopin Kyiv• Code named “Lighthouse” -- lh.cctld.ua• 194.44.71.71 and 2001:7f8:55:7::71• Can be used by anybody - validates UA signed clone6
  7. 7. Live Deployment• Planned at ICANN meeting (witness Steve Crocker onMarch 14th, 2012)• KSK in UA - March 27th• DS in Root Zone - April 13th (Friday)• DS delegations in UA - only 6 so far• ua.ua netassist.ua rovno.ua nic.ua; chernovtsy.ua cv.ua7
  8. 8. Key rollover schedule• KSK, made in Ukraine, December 2nd, 2011• Old ZSK schedule - key made weekly, everyWednesday, key lifetime: 10 days (until Saturday)• Zone signed every hour, every day• New ZSK schedule: generated 10th of every month,key lifetime: 40 days• Change effective June 10th 20128
  9. 9. Some statistics9
  10. 10. Questions?www.hostmaster.ua/dnssecinfo@hostmaster.ua

×