AFRINIC, profile picture
Uploaded byAFRINIC
148 views

AFRINIC DNSSEC Infrastructure and Signer Migration

1. AfriNIC operates DNSSEC services for reverse DNS zones and several African ccTLDs. They migrated their signing infrastructure to a new signer while maintaining DNSSEC validation. 2. The migration was done silently without any invalidity window by using the existing DNSKEYs followed by a rollover. This avoided any interactions with parent zones during the migration. 3. Very few AfriNIC members currently sign their reverse zones and submit DS records. AfriNIC aims to improve adoption of DNSSEC by their members and may provide hosted signing services.

Embed presentation

Download to read offline
AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1
African RIR 2 ● RIR for the African and Indian Ocean region ● Community-driven through policy discussion ● Allocation of IPv4, IPv6 and ASN ● Maintains WHOIS database ● Provides security services for resources: RPKI, IRR, DNSSEC ● Provides IPv6 and other trainings ● Since 2016 => AfriNIC Labs
AfriNIC DNS Programmes • African Root Server Copy (AfRSCP) – 6 Root Servers (K and L) • AfriNIC supported RFC5855 servers – “c.in-addr.arpa” and “c.ip6.arpa” • African DNS Support Programme (AfDSP) – Free secondary/slave to African ccTLDs (~30) 3
RDNS 4 >$ host 192.0.32.7 7.32.0.192.in-addr.arpa domain name pointer www.icann.org.
DNSSEC@AfriNIC • AfriNIC operates RDNS for its IPv4 and IPv6 zones – 0.c.2.ip6.arpa. – 3.4.1.0.0.2.ip6.arpa. – 2.4.1.0.0.2.ip6.arpa. – {41,196,197,102,105,154}.in-addr.arpa. • Member signs their reverse zones and sends DS records to AfriNIC 196.216/16 ----> 216.196.in-addr.arpa 5
WHOIS Domain object domain: 2.9.0.0.8.f.3.4.1.0.0.2.ip6.arpa descr: rDNS for 2001:43f8:92::/48 - AFRINIC CPT OPS org: ORG-AFNC1-AFRINIC admin-c: IT7-AFRINIC tech-c: IT7-AFRINIC zone-c: IT7-AFRINIC nserver: ns1.afrinic.net nserver: ns3.afrinic.net nserver: ns2.afrinic.net ds-rdata: 2842 8 2 c2e3b07f192cfdb0f0395e66f446ce02e9484e22fb787a17f7babe91547 d3ed4 remarks: AFRINIC CPT OPS mnt-by: AFRINIC-IT-MNT mnt-lower: AFRINIC-IT-MNT source: AFRINIC # Filtered 6
MyAFRINIC 7
DNSSEC Policy • Rollover – ZSK: Monthly – KSK: Yearly (double DS) • Signature lifetime: 15 days 8 Parameter Key Length Algorithm KSK 2048 bits RSA ZSK 1024 bits RSA Signature SHA-256 RSA • TTL: – DNSKEY: TTL on SOA – NSEC: mininum of SOA – RRSIG: lowest TTL – DS: TTL on NS
Architecture 9
5 Members with DS records • ATI - Agence Tunisienne Internet • CBC EMEA LTD • Posix Systems (Pty) Ltd • RMS Powertronics CC • Rhodes University • AfriNIC Ltd Adoption very very low!!!! 10
Signer Migration Why? • Scalability issues with OpenDNSSEC v1.3 • Large delays for signing of zones • The old signer was stuck into "flush mode" occasionally, leading to members to complain about time to propagate of their changes. • Limited support for AXFR IN and OUT 11
Guiding principles •DNSSEC validation maintained all the time •There should be minimum manual editing of signed zones •Migration should be done as quickly as possible •Interaction with parents is kept to a mininum •Key sizes and algorithms will remain the same 12
Assumptions •No ZSK/KSK rollover in progress in the source signer to prevent situation of having multiple DNSKEY RR •The validity of the signatures is much longer that the TTL of the zone (2 or 3 times bigger) •Source and destination signers are not authoritative DNS servers but are hidden primaries. •Both the source and destination signers are provisioned the same way •The parent zone in-addr.arpa and ip6.arpa accepts Double-DS records for key rollover procedures. 13
Migration Strategies 14 Criteria Option 1 Export existing keys Option 2 Key rollover Option 3 New Keys Option 4 Existing keys followed by rollover Invalidity window NO NO YES NO Key manipulation YES NO NO YES Rollover time None Wait for old signatures to expire Wait for caches to pick up new keys - Number of interactions with parents 0 2 1 - DNSKEY RRset size Same Double Same Same Exposure of private keys YES NO: only public keys exposed NO YES
Migration timeline 15
Double DS 16
Future work 17 Implications: • Trust in AfriNIC in managing DNSKEYs • Uptime, SLA, etc Hosted DNSSEC signer engines for AFRINIC members
AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 18

More Related Content

PDF
Building and operating a global DNS content delivery anycast network
byAPNIC
 
PDF
NANOG 84: DNS Openness
byAPNIC
 
PPTX
501 ch 3 network technologies tools
bygocybersec
 
PPTX
IPv6 Segment Routing : an end-to-end solution ?
byOlivier Bonaventure
 
PDF
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
byAPNIC
 
PDF
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
byAPNIC
 
PDF
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
byAPNIC
 
PDF
PacNOG 29: Routing security is more than RPKI
byAPNIC
 
Building and operating a global DNS content delivery anycast network
byAPNIC
 
NANOG 84: DNS Openness
byAPNIC
 
501 ch 3 network technologies tools
bygocybersec
 
IPv6 Segment Routing : an end-to-end solution ?
byOlivier Bonaventure
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
byAPNIC
 
ThaiNOG Day 2019: Internet Number Registry Services, the Next Generation
byAPNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
byAPNIC
 
PacNOG 29: Routing security is more than RPKI
byAPNIC
 

What's hot

PDF
DNS Survival Guide
byAPNIC
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
PDF
4. Communication and Network Security
bySam Bowne
 
PPTX
Network scanning
byMD SAQUIB KHAN
 
PDF
The Next Generation Internet Number Registry Services
byMyNOG
 
PPTX
9 ipv6-routing
byOlivier Bonaventure
 
PPTX
Future Internet protocols
byOlivier Bonaventure
 
PPTX
Wireshark
byKasun Madusanke
 
PPTX
Ipv6
byYan Drugalya
 
PPTX
12 ethernet-wifi
byOlivier Bonaventure
 
PPTX
High Performance Flow Matching Architecture for Openflow Data Plane
byMahesh Dananjaya
 
PPTX
APNIC Update
byAPNIC
 
PDF
Benefits of Hosting a DNS Root Server
byRIPE NCC
 
PDF
Tutorial: Network State Awareness Troubleshooting
byAPNIC
 
PPTX
5. transistion mechanisum 1
byrajataro
 
PPTX
SDN and Named Data Networking Security
bywolverinetyagi
 
PPTX
Shamsa al mazrooei
byshamsamaz
 
PDF
CNIT 50: 7. Graphical Tools & 8. NSM Consoles
bySam Bowne
 
PPTX
NetCat - the suiss army knife of network
byMehdi Djoughi
 
PPTX
8 congestion-ipv6
byOlivier Bonaventure
 
DNS Survival Guide
byAPNIC
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
4. Communication and Network Security
bySam Bowne
 
Network scanning
byMD SAQUIB KHAN
 
The Next Generation Internet Number Registry Services
byMyNOG
 
9 ipv6-routing
byOlivier Bonaventure
 
Future Internet protocols
byOlivier Bonaventure
 
Wireshark
byKasun Madusanke
 
Ipv6
byYan Drugalya
 
12 ethernet-wifi
byOlivier Bonaventure
 
High Performance Flow Matching Architecture for Openflow Data Plane
byMahesh Dananjaya
 
APNIC Update
byAPNIC
 
Benefits of Hosting a DNS Root Server
byRIPE NCC
 
Tutorial: Network State Awareness Troubleshooting
byAPNIC
 
5. transistion mechanisum 1
byrajataro
 
SDN and Named Data Networking Security
bywolverinetyagi
 
Shamsa al mazrooei
byshamsamaz
 
CNIT 50: 7. Graphical Tools & 8. NSM Consoles
bySam Bowne
 
NetCat - the suiss army knife of network
byMehdi Djoughi
 
8 congestion-ipv6
byOlivier Bonaventure
 

Similar to AFRINIC DNSSEC Infrastructure and Signer Migration

PDF
Signing DNSSEC answers on the fly at the edge: challenges and solutions
byAPNIC
 
PDF
DNS & DNSSEC
byAPNIC
 
PDF
Future Sat Africa - AFRINIC Overview
byMyles Freedman
 
PDF
NZNOG 2013 - Experiments in DNSSEC
byAPNIC
 
PDF
Dnssec afrinic-general
byAFRINIC
 
PPTX
ION Durban - DNSSEC, and Why We Can't Avoid It
byDeploy360 Programme (Internet Society)
 
PPTX
DNSSEC for Registrars by .ORG & Afilias
byORG, The Public Interest Registry
 
PDF
Afrinic_RR
byAFRINIC
 
PDF
AFRINIC - Internet Number Resources Uptake
byInternet Society
 
PPTX
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 
PDF
AFRINIC Update
byAPNIC
 
PDF
AFRINIC Update
byAPNIC
 
PDF
AIS19 Newcomers Session (EN)
byAFRINIC
 
PPTX
AFRINIC Update by Patrisse Deesse [APRICOT 2015]
byAPNIC
 
PDF
Afri nic 2nd Presentation at the Youth Engagement Summit Mauritius
byAdrian Hall
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
byAPNIC
 
DNS & DNSSEC
byAPNIC
 
Future Sat Africa - AFRINIC Overview
byMyles Freedman
 
NZNOG 2013 - Experiments in DNSSEC
byAPNIC
 
Dnssec afrinic-general
byAFRINIC
 
ION Durban - DNSSEC, and Why We Can't Avoid It
byDeploy360 Programme (Internet Society)
 
DNSSEC for Registrars by .ORG & Afilias
byORG, The Public Interest Registry
 
Afrinic_RR
byAFRINIC
 
AFRINIC - Internet Number Resources Uptake
byInternet Society
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
byDan Kaminsky
 
AFRINIC Update
byAPNIC
 
AFRINIC Update
byAPNIC
 
AIS19 Newcomers Session (EN)
byAFRINIC
 
AFRINIC Update by Patrisse Deesse [APRICOT 2015]
byAPNIC
 
Afri nic 2nd Presentation at the Youth Engagement Summit Mauritius
byAdrian Hall
 

More from AFRINIC

PDF
TraceMON - a new RIPE Atlas tool
byAFRINIC
 
PDF
Deep Diving into Africa’s Inter-Country Latencies
byAFRINIC
 
PDF
AFRINIC 101 2016 (Fr)
byAFRINIC
 
PDF
DNS Measurements
byAFRINIC
 
PDF
Measuring quality of Internet links in NRENs
byAFRINIC
 
PDF
State of Internet measurement Infrastructure/tools in Africa
byAFRINIC
 
PDF
ARDA - Measuring peering and Interdomain routing topology
byAFRINIC
 
PDF
Latency clustering AfPIF2017
byAFRINIC
 
PDF
AIS19 - Policies under discussion
byAFRINIC
 
PDF
AFRINIC 101 2017
byAFRINIC
 
PDF
Routing security and implications for NRENs
byAFRINIC
 
PDF
Insight Into Africa’s Country-level Latencies
byAFRINIC
 
PDF
Studying performance barriers to cloud services in Africa's public sector
byAFRINIC
 
PDF
APRICOT Latency Clustering
byAFRINIC
 
PDF
Internet development in Africa: a content use, hosting and distribution persp...
byAFRINIC
 
PDF
AFRINIC RIA MoU
byAFRINIC
 
PDF
Measuring the complexity of the Internet: indexes and indicators
byAFRINIC
 
PDF
Tampering With the Open Internet: Experiences From Africa
byAFRINIC
 
PDF
Assessing Internet Freedom and the Digital Resilience
byAFRINIC
 
PDF
Beyond access: measuring digital inequalities
byAFRINIC
 
TraceMON - a new RIPE Atlas tool
byAFRINIC
 
Deep Diving into Africa’s Inter-Country Latencies
byAFRINIC
 
AFRINIC 101 2016 (Fr)
byAFRINIC
 
DNS Measurements
byAFRINIC
 
Measuring quality of Internet links in NRENs
byAFRINIC
 
State of Internet measurement Infrastructure/tools in Africa
byAFRINIC
 
ARDA - Measuring peering and Interdomain routing topology
byAFRINIC
 
Latency clustering AfPIF2017
byAFRINIC
 
AIS19 - Policies under discussion
byAFRINIC
 
AFRINIC 101 2017
byAFRINIC
 
Routing security and implications for NRENs
byAFRINIC
 
Insight Into Africa’s Country-level Latencies
byAFRINIC
 
Studying performance barriers to cloud services in Africa's public sector
byAFRINIC
 
APRICOT Latency Clustering
byAFRINIC
 
Internet development in Africa: a content use, hosting and distribution persp...
byAFRINIC
 
AFRINIC RIA MoU
byAFRINIC
 
Measuring the complexity of the Internet: indexes and indicators
byAFRINIC
 
Tampering With the Open Internet: Experiences From Africa
byAFRINIC
 
Assessing Internet Freedom and the Digital Resilience
byAFRINIC
 
Beyond access: measuring digital inequalities
byAFRINIC
 

Recently uploaded

PDF
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
PDF
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
PDF
Modernize everything Microsoft session.pdf
byjeyfox1
 
PDF
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
PDF
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
PDF
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
DOCX
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
PPTX
Victoria University Transcripts
byvgki5qphpa
 
PDF
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
PDF
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
The Role of Micro-interactions in Modern Web Design
bydigitalcrafters0810
 
Network Security Services for Businesses: 5 Simple Ways to Protect Your Network
byPreemptive Technofield
 
Modernize everything Microsoft session.pdf
byjeyfox1
 
Top 7 Instagram Monitoring Apps of 2025 – Feature Overview
byMichael Carter
 
Dublin Core Metadata : Library’s Digital DNA
byDeepanshu Kumar Yadav
 
2025 Archive - Zsolt Nemeth web blogging
byZsolt Nemeth
 
Get Verified Payeer Accounts_ Complete Payeer Account Verification Guide (202...
byBEST IT SMM
 
Victoria University Transcripts
byvgki5qphpa
 
Enshittification and the Current State of UX/Product
byAndrew Turnbull
 
How to Verify Someone from Dating or Marketplace Apps
bySocial Searcher
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 

AFRINIC DNSSEC Infrastructure and Signer Migration

  • 1.
    AFRINIC (r)DNSSEC Infrastructure ...and howwe (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1
  • 2.
    African RIR 2 ● RIRfor the African and Indian Ocean region ● Community-driven through policy discussion ● Allocation of IPv4, IPv6 and ASN ● Maintains WHOIS database ● Provides security services for resources: RPKI, IRR, DNSSEC ● Provides IPv6 and other trainings ● Since 2016 => AfriNIC Labs
  • 3.
    AfriNIC DNS Programmes •African Root Server Copy (AfRSCP) – 6 Root Servers (K and L) • AfriNIC supported RFC5855 servers – “c.in-addr.arpa” and “c.ip6.arpa” • African DNS Support Programme (AfDSP) – Free secondary/slave to African ccTLDs (~30) 3
  • 4.
    RDNS 4 >$ host 192.0.32.7 7.32.0.192.in-addr.arpadomain name pointer www.icann.org.
  • 5.
    DNSSEC@AfriNIC • AfriNIC operatesRDNS for its IPv4 and IPv6 zones – 0.c.2.ip6.arpa. – 3.4.1.0.0.2.ip6.arpa. – 2.4.1.0.0.2.ip6.arpa. – {41,196,197,102,105,154}.in-addr.arpa. • Member signs their reverse zones and sends DS records to AfriNIC 196.216/16 ----> 216.196.in-addr.arpa 5
  • 6.
    WHOIS Domain object domain:2.9.0.0.8.f.3.4.1.0.0.2.ip6.arpa descr: rDNS for 2001:43f8:92::/48 - AFRINIC CPT OPS org: ORG-AFNC1-AFRINIC admin-c: IT7-AFRINIC tech-c: IT7-AFRINIC zone-c: IT7-AFRINIC nserver: ns1.afrinic.net nserver: ns3.afrinic.net nserver: ns2.afrinic.net ds-rdata: 2842 8 2 c2e3b07f192cfdb0f0395e66f446ce02e9484e22fb787a17f7babe91547 d3ed4 remarks: AFRINIC CPT OPS mnt-by: AFRINIC-IT-MNT mnt-lower: AFRINIC-IT-MNT source: AFRINIC # Filtered 6
  • 7.
  • 8.
    DNSSEC Policy • Rollover –ZSK: Monthly – KSK: Yearly (double DS) • Signature lifetime: 15 days 8 Parameter Key Length Algorithm KSK 2048 bits RSA ZSK 1024 bits RSA Signature SHA-256 RSA • TTL: – DNSKEY: TTL on SOA – NSEC: mininum of SOA – RRSIG: lowest TTL – DS: TTL on NS
  • 9.
  • 10.
    5 Members withDS records • ATI - Agence Tunisienne Internet • CBC EMEA LTD • Posix Systems (Pty) Ltd • RMS Powertronics CC • Rhodes University • AfriNIC Ltd Adoption very very low!!!! 10
  • 11.
    Signer Migration Why? • Scalabilityissues with OpenDNSSEC v1.3 • Large delays for signing of zones • The old signer was stuck into "flush mode" occasionally, leading to members to complain about time to propagate of their changes. • Limited support for AXFR IN and OUT 11
  • 12.
    Guiding principles •DNSSEC validationmaintained all the time •There should be minimum manual editing of signed zones •Migration should be done as quickly as possible •Interaction with parents is kept to a mininum •Key sizes and algorithms will remain the same 12
  • 13.
    Assumptions •No ZSK/KSK rolloverin progress in the source signer to prevent situation of having multiple DNSKEY RR •The validity of the signatures is much longer that the TTL of the zone (2 or 3 times bigger) •Source and destination signers are not authoritative DNS servers but are hidden primaries. •Both the source and destination signers are provisioned the same way •The parent zone in-addr.arpa and ip6.arpa accepts Double-DS records for key rollover procedures. 13
  • 14.
    Migration Strategies 14 Criteria Option1 Export existing keys Option 2 Key rollover Option 3 New Keys Option 4 Existing keys followed by rollover Invalidity window NO NO YES NO Key manipulation YES NO NO YES Rollover time None Wait for old signatures to expire Wait for caches to pick up new keys - Number of interactions with parents 0 2 1 - DNSKEY RRset size Same Double Same Same Exposure of private keys YES NO: only public keys exposed NO YES
  • 15.
  • 16.
  • 17.
    Future work 17 Implications: • Trustin AfriNIC in managing DNSKEYs • Uptime, SLA, etc Hosted DNSSEC signer engines for AFRINIC members
  • 18.
    AFRINIC (r)DNSSEC Infrastructure ...and howwe (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 18