Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DNSSEC implementation in Russia


Published on

Alexander Venedioukhin, researcher from Technical Center of Internet (TCI) shares current DNSSEC status in Russian ccTLDs, history of deployment and registry/registrars operations on DNSSEC.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

DNSSEC implementation in Russia

  1. 1. DNSSEC in .RU Alexander Venedioukhin Technical Center of the Internet
  2. 2. DNSSEC TCI - registries' backbone services. Runs DNS and domain registration services of .RU, .РФ, .SU, .ДЕТИ, .TATAR
  3. 3. DNSSEC DNSSEC started in .SU (2011) (first production zone - 23.11.2011) Main zone - .RU - signed in 2012, and .РФ - same year.
  4. 4. DNSSEC Signed with RSA + NSEC3 ZSK lifetime - 90 days Standard approach: .RU DNSVIZ.NET
  5. 5. DNSSEC Crypto procedures operator, officer and observer roles restricted access, air-gapped systems (for KSK) KSK - in HSM ZSK - in protected zone-signing machine (internal network) Challenges of routine operations Expired domain with DS - need to redelegate in grace period - how?
  6. 6. DNSSEC DNSSEC is NOT so popular. Yet Stats: 5.4 million names .RU and only about 1000 DS records nanoscale deployment
  7. 7. DNSSEC Compare to TLS (.RU): in September 2017 - 395462 TLS-nodes (HTTPS) Still about 10% of live web nodes Stats:
  8. 8. DNSSEC Compare to DNS (.RU): in September 2017 - about 70000 name servers Number of zones with DS records -- approximately 1.4% of NS count (Not much meaning) Stats:
  9. 9. DNSSEC DS record present but DNSSEC is not Cases: replaced name servers; changed administrator; etc, you name it. Expired RRSIGs
  10. 10. DNSSEC Why? 1. Users/admins - no reason to implement DNSSEC (no validation at client side); 2. Registrars do not support “automatic” DNSSEC; 3. Lack of APIs provided by registrars.
  11. 11. DNSSEC What we do? Registry has full support for DS in EPP (including ECDSA 13/14); Requires valid DNSKEY for DS, and checks it. And we try to educate end users
  12. 12. DNSSEC in .RU Thank you! Questions? Alexander Venedioukhin TCI