SlideShare a Scribd company logo

DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

APNIC
APNIC

Presentation by Nguyen Trung Kien at APRICOT 2017 on Tuesday, 28 February 2017.

Internet
1 of 23
DNSSEC Deployment for .VN Nguyen Trung Kien | Ho Chi Minh City | Feb 2017 MINISTRY OF INFORMATION AND COMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER
Overview Preparations Deployment Next Plan www.vnnic.vn
Current Status for DNSSEC Deployment • For TLDs (24 Jan 2017): o 1528 TLDs in the root zone in total o 1383 TLDs are signed (~ 90%) • For ccTLDs: www.vnnic.vn
DNSSEC in Vietnam • From 2012 Experimental • 10/2014 Announced • 2015 Partial • 2016 DS in Root • 2017 - Operational 1. Experimental:  Attended the forum, conference  Research for DNSSEC 2. Announced:  DNSSEC OT&E  Training 3. Partial  Signing & Roller Key  Tools & software development 4. DS in Root:  Generation & submission  Monitoring 5. Operational:  Support to deploy DNSSEC  Upgrades and improvements  Debugging www.vnnic.vn
Preparations www.vnnic.vn
DNSSEC Plan 2015 • Preparation • Planning • Preparing human and technical resources • Promote co-operate activities, training • Policy, procedure, process 2016 • Implementation • Key generation & zone signing for .VN • .VN zone is signed & DS has been published to DNS ROOT • Continue promotion activities, training 2017 • Accomplishment • Upgrade SRS to support EPP • ISP, Registrar, DNS Owner in Vietnam www.vnnic.vn
DNSSEC in 2016 No. Tasks 1 DNSSEC Plan for .VN domain name 2 Established DNSSEC team & Training skills 3 Infrastructure for DNSSEC: - Topology: DC/DR - DNSSEC System: DNS/DNSSEC server & HSM 4 DNSSEC documents & DPS 5 DNSSEC Production for VN zone: - DNS & HSM Integrated - Inline-signing bump in the wire - DNSSEC Monitoring 6 SRS-EPP OTE support DNSSEC 7 Key signing ceremony scripts 8 Signing VN zone & update DS to root www.vnnic.vn
Topology • Resilient: built with DC and DR (HN & HCM city) o Active – stanby, each site serve as a backup to the other. o Each site contains two independent instances of equipment which is able to sign the .VN zone • Policy: o Private keys are stored in HSM o Public keys are stored in zone data (DNSKEY record), publish to the community • Roles for signing key operator: o KGA (Key Generation Administrator) o SA (System Administrator) o SO (Security Officer) o WI (Witness) • Activities: o Key generation (KSK, ZSK) o Key rollover (KSK, ZSK) o Key revocation (KSK, ZSK) www.vnnic.vn
Topology (cont.) www.vnnic.vn
Security Area 1. Security Area 3 - Network Operations Center (NOC) - Authentication: Fingerprint, SmartCard 2. Security Area 2 - Server Room - Authentication: SmartCard 3. Security Area 1 - DNSSEC Cage: o Cabinet 3: KGA, SA, SO access o Cabinet 2: SA (Facility, Network) access o Cabinet 1: SA (DNS, HSM), SO access - Authentication: Fingerprint, Password Facility, Network DNS/DNSSEC, HSM Sercurity Area 2 Security Area 3 Security Area 1 Cabinet2 Cabinet1 Cabinet3 HSM Smartcard Key, Card www.vnnic.vn
KSK: • Private/Public Key pair • Key Algorithm: RSA/SHA-256 • Key size: 2048 • Manual rollover ZSK: • Private/Public Key pair • Key Algorithm: RSA/SHA 256 • Key size: 1024 • Automatic rollover Key Parameters Key Type Funcition Algorithm Key length NSEC/NSEC3 KSK Sign DNSKEY RSA-SHA256 2048 bits NSEC3 ZSK Sign RRSET 1024 bits Key Type Key Rollover Signing Validity Refresh Time KSK 12 months ZSK 90 days 30 days 7.5 days www.vnnic.vn
• Key Generation: o HSM Master gererate and store new KSK, ZSK o HSM Master synchonize the key to other HSM (Manual synchonize) o DNSSEC Signer loads key label from HSM (only private key) o DNSSEC Signer config the DNSSEC keys, HSM will use private key to sign data. o Update DS to the parent zone (only with KSK generation) o Require a KGA, SA, SO, WI • Key Rollover: o ZSK Rollover: Pre-Publish; KSK Rollover: Double Signing o Time to rollover: KSK: 30 days before key expires. ZSK: 2 days before key expires. o Procedure: ZSK: Automatic rollover – by script. KSK: Manual rollover – key signing ceremony + update DS to parent zone. Key Generation & Rollover www.vnnic.vn
Deployment www.vnnic.vn
• We deployed a new DNSSEC Production system: o New DNSSEC Hidden/Master o Zone transfer from DNS Hidden/Master to DNSSEC Hidden/Master • Zone signing VN zone on DNSSEC production: o DC-DR model. o Signing with HSM Cluster (4 DNSSEC Signer/HSM) • DNS services (without DNSSEC) on-line for resolving, DNSSEC services off-line for trial operation Zone Signing Zone Generation Hidden Master Name Servers Signer box Test Name Servers www.vnnic.vn
• Key Signing Ceremony for VN zone (20 Dec 2016): o Internal Ceremony in VNNIC o Key Generation for VN zone (KSKs, ZSKs) • Change DNS Master to DNSSEC master to publish vn signed zone. • Check DNS Secondary after zone transfer vn signed zone (only for 5 minutes) • Passed IANA’s validation for DS Record of .VN • DS for .VN becomes effective in 31 Dec 2016 in the root zone DNSSEC Online Zone Generation Hidden Master Name Servers Signer box www.vnnic.vn
• Use Nagios for monitor DNSSEC system • Monitoring: o Zone size o Signature Expiry o Zone signing process o KSK, ZSK parameters DNSSEC Monitoring www.vnnic.vn
Next Plan www.vnnic.vn
No. Tasks 1 Sign DNSSEC for: • Sub-domain SLD, example: com.vn, net.vn, provinces domain… • Reserve domain • VNNIC’s domain 2 Open testbed for Registrar to update DS 3 Support, training ISP, DNS Hosting Provider, DNS Owner to deploy DNSSEC DNSSEC in 2017 www.vnnic.vn
• Network: o DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes  Increase Bandwidth. o Allow DNS query over TCP o Handle large UDP packets (>512 bytes, ≤4,000 bytes). • Pre-Deployment: o Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+ o Server systems are sufficiently modern o Large UDP DNS packets are allowed through firewall o UDP fragments are not blocked by firewall DNSSEC for ISPs www.vnnic.vn
• Upgrade secdns-1.1 for EPP system for support DNSSEC. • Connect to VNNIC’s EPP system. DNSSEC for Registrars www.vnnic.vn
• Upgrade DNS to support DNSSEC. • Implement Signing box • Connect to registrar to update DS records. • Recommendation: o Signing box:  Open Source (BIND, NSD, opendnssec, softhsm…)  Hardware (HSM) o Operation:  Follow policies, procedures  Key management (KSK, ZSK)  Key parameters (Algorithm, key size, NSEC/NSEC3) DNSSEC for DNS Hosting Providers www.vnnic.vn
• How to push ISP, DNS Hosting to support DNSSEC? • Automated DS change with RFC 7344 “Automating DNSSEC Delegation Trust Maintenance” https://tools.ietf.org/html/rfc7344 Conclusion www.vnnic.vn
Thank you! www.vnnic.vn

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation TutorialAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation TutorialAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse HandlingAPNIC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTHaystack Technologies
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Technologies
 
ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsAPNIC
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC
 

More Related Content

What's hot

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSECMen and Mice
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse HandlingAPNIC
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTHaystack Technologies
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Technologies
 

What's hot (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7
 

Viewers also liked

ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsAPNIC
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC
 
IDNOG Update
IDNOG UpdateIDNOG Update
IDNOG UpdateAPNIC
 
EC Election Candidate Speeches
EC Election Candidate SpeechesEC Election Candidate Speeches
EC Election Candidate SpeechesAPNIC
 
APNIC Activity Report 2016
APNIC Activity Report 2016APNIC Activity Report 2016
APNIC Activity Report 2016APNIC
 
BTNOG Update
BTNOG UpdateBTNOG Update
BTNOG UpdateAPNIC
 
HKNOG Update
HKNOG UpdateHKNOG Update
HKNOG UpdateAPNIC
 
A Review of Community Network Technological Platform
A Review of Community Network Technological PlatformA Review of Community Network Technological Platform
A Review of Community Network Technological PlatformAPNIC
 
NOG Reports
NOG ReportsNOG Reports
NOG ReportsAPNIC
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
IPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in BangladeshIPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in BangladeshAPNIC
 
NAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolNAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolAPNIC
 
APIX Report
APIX ReportAPIX Report
APIX ReportAPNIC
 
Taiwan IPv6 Measurement
Taiwan IPv6 MeasurementTaiwan IPv6 Measurement
Taiwan IPv6 MeasurementAPNIC
 
IPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudRENIPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudRENAPNIC
 
APNIC 43 Vote of Thanks
APNIC 43 Vote of ThanksAPNIC 43 Vote of Thanks
APNIC 43 Vote of ThanksAPNIC
 
EURO-IX BMC - Benchmarking
EURO-IX BMC - BenchmarkingEURO-IX BMC - Benchmarking
EURO-IX BMC - BenchmarkingAPNIC
 
The trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route serversThe trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route serversAPNIC
 
APNIC 44 Update
APNIC 44 UpdateAPNIC 44 Update
APNIC 44 UpdateAPNIC
 
Unknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping PollersUnknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping PollersAPNIC
 

Viewers also liked (20)

ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health Indicators
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election Procedures
 
IDNOG Update
IDNOG UpdateIDNOG Update
IDNOG Update
 
EC Election Candidate Speeches
EC Election Candidate SpeechesEC Election Candidate Speeches
EC Election Candidate Speeches
 
APNIC Activity Report 2016
APNIC Activity Report 2016APNIC Activity Report 2016
APNIC Activity Report 2016
 
BTNOG Update
BTNOG UpdateBTNOG Update
BTNOG Update
 
HKNOG Update
HKNOG UpdateHKNOG Update
HKNOG Update
 
A Review of Community Network Technological Platform
A Review of Community Network Technological PlatformA Review of Community Network Technological Platform
A Review of Community Network Technological Platform
 
NOG Reports
NOG ReportsNOG Reports
NOG Reports
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
IPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in BangladeshIPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in Bangladesh
 
NAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolNAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful tool
 
APIX Report
APIX ReportAPIX Report
APIX Report
 
Taiwan IPv6 Measurement
Taiwan IPv6 MeasurementTaiwan IPv6 Measurement
Taiwan IPv6 Measurement
 
IPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudRENIPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudREN
 
APNIC 43 Vote of Thanks
APNIC 43 Vote of ThanksAPNIC 43 Vote of Thanks
APNIC 43 Vote of Thanks
 
EURO-IX BMC - Benchmarking
EURO-IX BMC - BenchmarkingEURO-IX BMC - Benchmarking
EURO-IX BMC - Benchmarking
 
The trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route serversThe trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route servers
 
APNIC 44 Update
APNIC 44 UpdateAPNIC 44 Update
APNIC 44 Update
 
Unknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping PollersUnknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping Pollers
 

Similar to DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkAPNIC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKAPNIC
 

Similar to DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017 (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Defcon
DefconDefcon
Defcon
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
 
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Lksn2017 itnsa modul2
Lksn2017 itnsa modul2Lksn2017 itnsa modul2
Lksn2017 itnsa modul2
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 

Recently uploaded (20)

VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 

DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

  • 1. DNSSEC Deployment for .VN Nguyen Trung Kien | Ho Chi Minh City | Feb 2017 MINISTRY OF INFORMATION AND COMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER
  • 3. Current Status for DNSSEC Deployment • For TLDs (24 Jan 2017): o 1528 TLDs in the root zone in total o 1383 TLDs are signed (~ 90%) • For ccTLDs: www.vnnic.vn
  • 4. DNSSEC in Vietnam • From 2012 Experimental • 10/2014 Announced • 2015 Partial • 2016 DS in Root • 2017 - Operational 1. Experimental:  Attended the forum, conference  Research for DNSSEC 2. Announced:  DNSSEC OT&E  Training 3. Partial  Signing & Roller Key  Tools & software development 4. DS in Root:  Generation & submission  Monitoring 5. Operational:  Support to deploy DNSSEC  Upgrades and improvements  Debugging www.vnnic.vn
  • 6. DNSSEC Plan 2015 • Preparation • Planning • Preparing human and technical resources • Promote co-operate activities, training • Policy, procedure, process 2016 • Implementation • Key generation & zone signing for .VN • .VN zone is signed & DS has been published to DNS ROOT • Continue promotion activities, training 2017 • Accomplishment • Upgrade SRS to support EPP • ISP, Registrar, DNS Owner in Vietnam www.vnnic.vn
  • 7. DNSSEC in 2016 No. Tasks 1 DNSSEC Plan for .VN domain name 2 Established DNSSEC team & Training skills 3 Infrastructure for DNSSEC: - Topology: DC/DR - DNSSEC System: DNS/DNSSEC server & HSM 4 DNSSEC documents & DPS 5 DNSSEC Production for VN zone: - DNS & HSM Integrated - Inline-signing bump in the wire - DNSSEC Monitoring 6 SRS-EPP OTE support DNSSEC 7 Key signing ceremony scripts 8 Signing VN zone & update DS to root www.vnnic.vn
  • 8. Topology • Resilient: built with DC and DR (HN & HCM city) o Active – stanby, each site serve as a backup to the other. o Each site contains two independent instances of equipment which is able to sign the .VN zone • Policy: o Private keys are stored in HSM o Public keys are stored in zone data (DNSKEY record), publish to the community • Roles for signing key operator: o KGA (Key Generation Administrator) o SA (System Administrator) o SO (Security Officer) o WI (Witness) • Activities: o Key generation (KSK, ZSK) o Key rollover (KSK, ZSK) o Key revocation (KSK, ZSK) www.vnnic.vn
  • 10. Security Area 1. Security Area 3 - Network Operations Center (NOC) - Authentication: Fingerprint, SmartCard 2. Security Area 2 - Server Room - Authentication: SmartCard 3. Security Area 1 - DNSSEC Cage: o Cabinet 3: KGA, SA, SO access o Cabinet 2: SA (Facility, Network) access o Cabinet 1: SA (DNS, HSM), SO access - Authentication: Fingerprint, Password Facility, Network DNS/DNSSEC, HSM Sercurity Area 2 Security Area 3 Security Area 1 Cabinet2 Cabinet1 Cabinet3 HSM Smartcard Key, Card www.vnnic.vn
  • 11. KSK: • Private/Public Key pair • Key Algorithm: RSA/SHA-256 • Key size: 2048 • Manual rollover ZSK: • Private/Public Key pair • Key Algorithm: RSA/SHA 256 • Key size: 1024 • Automatic rollover Key Parameters Key Type Funcition Algorithm Key length NSEC/NSEC3 KSK Sign DNSKEY RSA-SHA256 2048 bits NSEC3 ZSK Sign RRSET 1024 bits Key Type Key Rollover Signing Validity Refresh Time KSK 12 months ZSK 90 days 30 days 7.5 days www.vnnic.vn
  • 12. • Key Generation: o HSM Master gererate and store new KSK, ZSK o HSM Master synchonize the key to other HSM (Manual synchonize) o DNSSEC Signer loads key label from HSM (only private key) o DNSSEC Signer config the DNSSEC keys, HSM will use private key to sign data. o Update DS to the parent zone (only with KSK generation) o Require a KGA, SA, SO, WI • Key Rollover: o ZSK Rollover: Pre-Publish; KSK Rollover: Double Signing o Time to rollover: KSK: 30 days before key expires. ZSK: 2 days before key expires. o Procedure: ZSK: Automatic rollover – by script. KSK: Manual rollover – key signing ceremony + update DS to parent zone. Key Generation & Rollover www.vnnic.vn
  • 14. • We deployed a new DNSSEC Production system: o New DNSSEC Hidden/Master o Zone transfer from DNS Hidden/Master to DNSSEC Hidden/Master • Zone signing VN zone on DNSSEC production: o DC-DR model. o Signing with HSM Cluster (4 DNSSEC Signer/HSM) • DNS services (without DNSSEC) on-line for resolving, DNSSEC services off-line for trial operation Zone Signing Zone Generation Hidden Master Name Servers Signer box Test Name Servers www.vnnic.vn
  • 15. • Key Signing Ceremony for VN zone (20 Dec 2016): o Internal Ceremony in VNNIC o Key Generation for VN zone (KSKs, ZSKs) • Change DNS Master to DNSSEC master to publish vn signed zone. • Check DNS Secondary after zone transfer vn signed zone (only for 5 minutes) • Passed IANA’s validation for DS Record of .VN • DS for .VN becomes effective in 31 Dec 2016 in the root zone DNSSEC Online Zone Generation Hidden Master Name Servers Signer box www.vnnic.vn
  • 16. • Use Nagios for monitor DNSSEC system • Monitoring: o Zone size o Signature Expiry o Zone signing process o KSK, ZSK parameters DNSSEC Monitoring www.vnnic.vn
  • 18. No. Tasks 1 Sign DNSSEC for: • Sub-domain SLD, example: com.vn, net.vn, provinces domain… • Reserve domain • VNNIC’s domain 2 Open testbed for Registrar to update DS 3 Support, training ISP, DNS Hosting Provider, DNS Owner to deploy DNSSEC DNSSEC in 2017 www.vnnic.vn
  • 19. • Network: o DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes  Increase Bandwidth. o Allow DNS query over TCP o Handle large UDP packets (>512 bytes, ≤4,000 bytes). • Pre-Deployment: o Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+ o Server systems are sufficiently modern o Large UDP DNS packets are allowed through firewall o UDP fragments are not blocked by firewall DNSSEC for ISPs www.vnnic.vn
  • 20. • Upgrade secdns-1.1 for EPP system for support DNSSEC. • Connect to VNNIC’s EPP system. DNSSEC for Registrars www.vnnic.vn
  • 21. • Upgrade DNS to support DNSSEC. • Implement Signing box • Connect to registrar to update DS records. • Recommendation: o Signing box:  Open Source (BIND, NSD, opendnssec, softhsm…)  Hardware (HSM) o Operation:  Follow policies, procedures  Key management (KSK, ZSK)  Key parameters (Algorithm, key size, NSEC/NSEC3) DNSSEC for DNS Hosting Providers www.vnnic.vn
  • 22. • How to push ISP, DNS Hosting to support DNSSEC? • Automated DS change with RFC 7344 “Automating DNSSEC Delegation Trust Maintenance” https://tools.ietf.org/html/rfc7344 Conclusion www.vnnic.vn