Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI


Published on

  • Be the first to comment

  • Be the first to like this

ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI

  1. 1. DNSSEC  in  .si   Where  we  are  Benjamin ZwittnigArnes,
  2. 2. Agenda•  Past actions•  Current status•  Future plans•  Conclusion
  3. 3. Past actions•  Recursive DNS servers - Turned on validation in 2010 - Monitoring traffic, anomalies, increase of TCP...•  Authoritative zone(s) •  Prepare for signing .si - A lot of testing - HSM modules - Different rollover scenarios - Traffic - A lot of documentation
  4. 4. Current status•  At the end of 2011 - .si was signed - DS records were published in root zone•  No problems with signing procedures•  DNSSEC provisioning in the registry sistem is not ready yet•  DS records for .si domains - cca 20 .si domains have DS records in .si - No real interest
  5. 5. Current status•  Resolver operators - On 7th place acording to a RIPE report•  Government shows some interest in DNSSEC - Validation on their recursive resolvers - Signing of their domains later
  6. 6. Current status•  Knowledge about DNSSEC is quite low•  Afraid of technology•  No more zero time administration - Regular key rollovers - Difficult debugging - No immediate benefit from DNSSEC•  Chicken and egg problem
  7. 7. Future plans•  Adapt our registry software to support DNSSEC•  Offer an optional DNSSEC signing service for our customers (as NREN)•  Convince resolver operators to turn on validation•  DNSSEC workshops for all interested parties•  Marketing of DNSSEC•  Discounts for DNSSEC signed domains ?
  8. 8. Conclusion•  Although we have signed .si, we are still far from a full deployment•  Some new problems - Transfer of DNSSEC signed domains - DDoS amplification attacks•  For a real spin off we need - Good DNSSEC awareness among internet users - Critical mass - A good application/service which uses benefits of DNSSEC (maybe DANE)