Technical Center of the Internet
- registries' backbone services.
Runs DNS and domain registration services
.RU, .РФ, .SU, .ДЕТИ, .TATAR
DNSSEC started in .SU (2011)
(first production zone - 23.11.2011)
Main zone - .RU - signed in 2012,
and .РФ - same year.
Signed with RSA
ZSK lifetime - 90 days
operator, officer and observer roles
restricted access, air-gapped systems (for KSK)
KSK - in HSM
ZSK - in protected zone-signing machine (internal network)
Challenges of routine operations
Expired domain with DS
- need to redelegate in grace period
DNSSEC is NOT so popular.
5.4 million names .RU and only about 1000 DS records
Compare to TLS (.RU):
in September 2017 - 395462 TLS-nodes (HTTPS)
Still about 10% of live web nodes
Compare to DNS (.RU):
in September 2017 - about 70000 name servers
Number of zones with DS records
-- approximately 1.4% of NS count
(Not much meaning)
DS record present
but DNSSEC is not
replaced name servers;
etc, you name it.
1. Users/admins - no reason to implement
DNSSEC (no validation at client side);
2. Registrars do not support “automatic”
3. Lack of APIs provided by registrars.
What we do?
Registry has full support for DS in EPP
(including ECDSA 13/14);
Requires valid DNSKEY for DS, and checks it.
And we try to educate end users
DNSSEC in .RU