DNSSEC in .SE Patrik Wallström, pawal@nic.se
Preliminary timeline 2005 2006 NOT secure Slaves DNSSEC ready Signed Zone 1 June 1 Sep 15 Oct Keys in the Zone TBA New Reg...
Workshop 6 th  April 2005 <ul><li>Workshop arranged by NIC-SE and the Swedish PTS, Post and Telecom Authority </li></ul><u...
Slaves DNSSEC ready <ul><li>All slaves for .SE will be ready for DNSSEC 1 st  June </li></ul><ul><li>Slaves are using ISC ...
Signed Zone <ul><li>.SE will be signed 1 st  september </li></ul><ul><li>At first, no fingerprints in the zone </li></ul><...
Keys in the Zone <ul><li>Evaluation of signed zone 14 th  October </li></ul><ul><li>DS records in the zone 15 th  October ...
Keyman <ul><li>Keyman is a prototype DNSSEC child key manager – until new EPP registry is in place </li></ul><ul><li>Store...
New Registry <ul><li>Todays registry model in .SE is “confused” </li></ul><ul><li>No clear relation between registrar and ...
New Registry 2 <ul><li>Registrars will handle DNSSEC through EPP </li></ul><ul><li>Requirements for DNSSEC? (Probably some...
Thank you Questions? Patrik Wallström, pawal@nic.se
Upcoming SlideShare
Loading in …5
×

DNSSEC in .SE

1,474 views
1,426 views

Published on

A presentation I held in Kyoto about the progress of DNSSEC in the .SE ccTLD.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,474
On SlideShare
0
From Embeds
0
Number of Embeds
57
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DNSSEC in .SE

  1. 1. DNSSEC in .SE Patrik Wallström, pawal@nic.se
  2. 2. Preliminary timeline 2005 2006 NOT secure Slaves DNSSEC ready Signed Zone 1 June 1 Sep 15 Oct Keys in the Zone TBA New Registry 2003 – Signed stable parallel .SE-zone for testing
  3. 3. Workshop 6 th April 2005 <ul><li>Workshop arranged by NIC-SE and the Swedish PTS, Post and Telecom Authority </li></ul><ul><li>Full day introduction and hands-on tutorial </li></ul><ul><li>Participants from registrars, ISP:s, banks, government agencies and large media companies </li></ul>
  4. 4. Slaves DNSSEC ready <ul><li>All slaves for .SE will be ready for DNSSEC 1 st June </li></ul><ul><li>Slaves are using ISC BIND and NSD </li></ul><ul><li>Is the software stable on their machines? </li></ul><ul><li>Slaves are trying out the signed zone on other machines with the same configuration </li></ul><ul><li>Slaves have better knowledge of DNSSEC when ready </li></ul>
  5. 5. Signed Zone <ul><li>.SE will be signed 1 st september </li></ul><ul><li>At first, no fingerprints in the zone </li></ul><ul><li>To be decided upon, new mechanism for signing the zone </li></ul>
  6. 6. Keys in the Zone <ul><li>Evaluation of signed zone 14 th October </li></ul><ul><li>DS records in the zone 15 th October </li></ul><ul><li>The 15 th is Point of No Return </li></ul><ul><li>31 th October, key exchange for the “public” with Keyman, a prototype registry function </li></ul><ul><li>Publishing the public key </li></ul>
  7. 7. Keyman <ul><li>Keyman is a prototype DNSSEC child key manager – until new EPP registry is in place </li></ul><ul><li>Store active keys in a database </li></ul><ul><li>Fetch new keys via DNS </li></ul><ul><li>User selects active keyset </li></ul><ul><li>DS records generated from database </li></ul>
  8. 8. New Registry <ul><li>Todays registry model in .SE is “confused” </li></ul><ul><li>No clear relation between registrar and registrant </li></ul><ul><li>Larger registrars are slowly making the confused model into a more structured Registry – Registrar model </li></ul><ul><li>New registry will be EPP based, and have a clean Registry – Registrar relationship </li></ul><ul><li>Old registry will be “yet another registrar” </li></ul>
  9. 9. New Registry 2 <ul><li>Registrars will handle DNSSEC through EPP </li></ul><ul><li>Requirements for DNSSEC? (Probably some extra paragraphs in the registrar agreement) </li></ul><ul><li>Authentication of registrants? </li></ul>
  10. 10. Thank you Questions? Patrik Wallström, pawal@nic.se

×