AFRINIC, profile picture
Uploaded byAFRINIC
332 views

Dnssec afrinic-general

The document discusses DNSSEC at AFRINIC, including: 1. AFRINIC manages and delegates reverse DNS (RDNS) subdomains for IPv4 and IPv6 addresses to its members. RDNS provisioning includes domain objects from the WHOIS database and name servers from AFRINIC and other regional internet registries (RIRs). 2. The root, arpa, in-addr.arpa, and ip6.arpa zones have been signed with DNSSEC, so there is no excuse for RIRs not to sign the RDNS zones they manage. 3. AFRINIC has signed the RDNS zones it manages, publishes the DNS data in

Embed presentation

Download to read offline
DNSSEC @ AFRINIC DNSSEC TRAINING
AFRINIC and RDNS o As RIR, Afrinic manages and delegates RDNS subdomains to it members – Ipv4 { 41-196-197-102-105-154}.in-addr.arpa. – Ipv6 {0.c.2 - 3.4.1.0.0.2 – 2.4.1.0.0.2}.ip6.arpa. o RDNS provisioning system includes – Domain objects from whois database – Zonlets from Other RIRs – NS provided by AfriNIC and other RIRs
Example from WHOIS DB domain: 0.1.196.in-addr.arpa descr: AfriNIC Corporate nserver: ns1.afrinic.net nserver: ns2.afrinic.net nserver: ns3.mu.afrinic.net org: ORG-AFNC1-AFRINIC admin-c: TEAM-AFRINIC tech-c: TEAM-AFRINIC zone-c: TEAM-AFRINIC mnt-by: AFRINIC-IT-MNT mnt-lower: AFRINIC-IT-MNT source: AFRINIC
DNSSEC Within the RDNS o Root, arpa, in-addr.arpa, and Ip6.arpa have been signed and chain of trust built o No excuses for not signing RIRs managed RDNS zones o Deploying DNSSEC within the RDNS may enable some other security mechanisms around the addressing and its uses.
DNSSEC @ AfriNIC o Signed the managed RDNS zones o Published DNS in in-addr.arpa and ip6.arpa zones o Accept DS from Members – Accept DS from zonelets from Other RIRs
DNSSEC @ AfriNIC o Fee changes to the NS setup – Under control o RDNS provisioning system to be updated – Update domain object with DS attributes – Update on Myafrinic – DS processing • From domain objects • From zonelets o Opendnssec as signer – Testbed operational
DNSSEC @ AfriNIC o Signing policy * ZSK is RSA 1024 key usable for 30 days * KSK is a RSAS 2048 key usable for one Year * Zones are signed with NSEC * Signatures are valid for 7 Days * Signatures are refresh 3 days *DNSKEY TTL is the zone default TTL *NSEC TTL is the Neg TTL of the zone *RRSIG TTL is the Signed RRset TTL *Zones are signed daily o Unsigned vs signed(at startup) 2.5M /usr/local/var/opendnssec/unsigned/ 7.4M /usr/local/var/opendnssec/signed/
DNSSEC @ AfriNIC o Query for our signed zones ? Dig @dnssec.mu.afrinic.net We publish all the managed RDNS Zones o HSM included in RPKI infrastructure
Questions ??

More Related Content

PPTX
Revision control system (RCS)
byAbu Sufian
 
PPTX
Actividad 1
byandrescg99
 
PDF
Fashion Questions, Answers, Polls & Debates
byabrasivepan679
 
PPTX
Presentation2
bysagar ghutukade
 
PPT
Presentación power poiint1
byblogdelinguaeliteratura
 
DOC
Г.Янжиндулам Б.Түмэнжаргал - Жижиг дунд үйлдвэрлэлийг хөгжүүлэхэд факторингий...
bybatnasanb
 
DOCX
Genre research action
bytarranroche99
 
PDF
Proceedit 20151204 encuentros bpm & b paa s - gran desafío bpaas pyme 2016
byJosep Mª Cos i Riera
 
Revision control system (RCS)
byAbu Sufian
 
Actividad 1
byandrescg99
 
Fashion Questions, Answers, Polls & Debates
byabrasivepan679
 
Presentation2
bysagar ghutukade
 
Presentación power poiint1
byblogdelinguaeliteratura
 
Г.Янжиндулам Б.Түмэнжаргал - Жижиг дунд үйлдвэрлэлийг хөгжүүлэхэд факторингий...
bybatnasanb
 
Genre research action
bytarranroche99
 
Proceedit 20151204 encuentros bpm & b paa s - gran desafío bpaas pyme 2016
byJosep Mª Cos i Riera
 

Viewers also liked

PPTX
6 ppp
bycarladosu
 
PDF
ISO AUDITOR
byShahid Shakeel Clinical Chem Aku
 
PDF
Trabajo presentado en INTEA 2016
byUniversidad Católica de la Santísima Concepción
 
DOC
С. Мараа - Монгол дахь компаниудын трансакцийн зардал, түүнийг бууруулах боло...
bybatnasanb
 
PPT
3rd grade time powerpoint
byThigpen Donna
 
PDF
Hazardous Classification
bySiringoringo Dongan
 
PPTX
গ্রাফিক্স ডিজাইন শিখুন, ঘরে বসে আয় করুন
bysuhel ahmed
 
PDF
Cv Jawad Munir
byjawad_munir
 
PDF
NASCAR Summit
byJason Silverstein
 
PPTX
Moon presentation by Asad Ali
byAsad Ali
 
6 ppp
bycarladosu
 
ISO AUDITOR
byShahid Shakeel Clinical Chem Aku
 
Trabajo presentado en INTEA 2016
byUniversidad Católica de la Santísima Concepción
 
С. Мараа - Монгол дахь компаниудын трансакцийн зардал, түүнийг бууруулах боло...
bybatnasanb
 
3rd grade time powerpoint
byThigpen Donna
 
Hazardous Classification
bySiringoringo Dongan
 
গ্রাফিক্স ডিজাইন শিখুন, ঘরে বসে আয় করুন
bysuhel ahmed
 
Cv Jawad Munir
byjawad_munir
 
NASCAR Summit
byJason Silverstein
 
Moon presentation by Asad Ali
byAsad Ali
 

More from AFRINIC

PDF
AIS19 - Policies under discussion
byAFRINIC
 
PDF
AIS19 Newcomers Session (EN)
byAFRINIC
 
PDF
AFRINIC 101 2017
byAFRINIC
 
PDF
AFRINIC 101 2016 (Fr)
byAFRINIC
 
PDF
Internet development in Africa: a content use, hosting and distribution persp...
byAFRINIC
 
PDF
Insight Into Africa’s Country-level Latencies
byAFRINIC
 
PDF
Deep Diving into Africa’s Inter-Country Latencies
byAFRINIC
 
PDF
Studying performance barriers to cloud services in Africa's public sector
byAFRINIC
 
PDF
Routing security and implications for NRENs
byAFRINIC
 
PDF
APRICOT Latency Clustering
byAFRINIC
 
PDF
Latency clustering AfPIF2017
byAFRINIC
 
PDF
AFRINIC RIA MoU
byAFRINIC
 
PDF
DNS Measurements
byAFRINIC
 
PDF
AFRINIC DNSSEC Infrastructure and Signer Migration
byAFRINIC
 
PDF
Tampering With the Open Internet: Experiences From Africa
byAFRINIC
 
PDF
Assessing Internet Freedom and the Digital Resilience
byAFRINIC
 
PDF
Measuring quality of Internet links in NRENs
byAFRINIC
 
PDF
State of Internet measurement Infrastructure/tools in Africa
byAFRINIC
 
PDF
TraceMON - a new RIPE Atlas tool
byAFRINIC
 
PDF
Measuring the complexity of the Internet: indexes and indicators
byAFRINIC
 
AIS19 - Policies under discussion
byAFRINIC
 
AIS19 Newcomers Session (EN)
byAFRINIC
 
AFRINIC 101 2017
byAFRINIC
 
AFRINIC 101 2016 (Fr)
byAFRINIC
 
Internet development in Africa: a content use, hosting and distribution persp...
byAFRINIC
 
Insight Into Africa’s Country-level Latencies
byAFRINIC
 
Deep Diving into Africa’s Inter-Country Latencies
byAFRINIC
 
Studying performance barriers to cloud services in Africa's public sector
byAFRINIC
 
Routing security and implications for NRENs
byAFRINIC
 
APRICOT Latency Clustering
byAFRINIC
 
Latency clustering AfPIF2017
byAFRINIC
 
AFRINIC RIA MoU
byAFRINIC
 
DNS Measurements
byAFRINIC
 
AFRINIC DNSSEC Infrastructure and Signer Migration
byAFRINIC
 
Tampering With the Open Internet: Experiences From Africa
byAFRINIC
 
Assessing Internet Freedom and the Digital Resilience
byAFRINIC
 
Measuring quality of Internet links in NRENs
byAFRINIC
 
State of Internet measurement Infrastructure/tools in Africa
byAFRINIC
 
TraceMON - a new RIPE Atlas tool
byAFRINIC
 
Measuring the complexity of the Internet: indexes and indicators
byAFRINIC
 

Recently uploaded

PPTX
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
PDF
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
PDF
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 

Dnssec afrinic-general

  • 1.
  • 2.
    AFRINIC and RDNS oAs RIR, Afrinic manages and delegates RDNS subdomains to it members – Ipv4 { 41-196-197-102-105-154}.in-addr.arpa. – Ipv6 {0.c.2 - 3.4.1.0.0.2 – 2.4.1.0.0.2}.ip6.arpa. o RDNS provisioning system includes – Domain objects from whois database – Zonlets from Other RIRs – NS provided by AfriNIC and other RIRs
  • 3.
    Example from WHOISDB domain: 0.1.196.in-addr.arpa descr: AfriNIC Corporate nserver: ns1.afrinic.net nserver: ns2.afrinic.net nserver: ns3.mu.afrinic.net org: ORG-AFNC1-AFRINIC admin-c: TEAM-AFRINIC tech-c: TEAM-AFRINIC zone-c: TEAM-AFRINIC mnt-by: AFRINIC-IT-MNT mnt-lower: AFRINIC-IT-MNT source: AFRINIC
  • 4.
    DNSSEC Within theRDNS o Root, arpa, in-addr.arpa, and Ip6.arpa have been signed and chain of trust built o No excuses for not signing RIRs managed RDNS zones o Deploying DNSSEC within the RDNS may enable some other security mechanisms around the addressing and its uses.
  • 5.
    DNSSEC @ AfriNIC oSigned the managed RDNS zones o Published DNS in in-addr.arpa and ip6.arpa zones o Accept DS from Members – Accept DS from zonelets from Other RIRs
  • 6.
    DNSSEC @ AfriNIC oFee changes to the NS setup – Under control o RDNS provisioning system to be updated – Update domain object with DS attributes – Update on Myafrinic – DS processing • From domain objects • From zonelets o Opendnssec as signer – Testbed operational
  • 7.
    DNSSEC @ AfriNIC oSigning policy * ZSK is RSA 1024 key usable for 30 days * KSK is a RSAS 2048 key usable for one Year * Zones are signed with NSEC * Signatures are valid for 7 Days * Signatures are refresh 3 days *DNSKEY TTL is the zone default TTL *NSEC TTL is the Neg TTL of the zone *RRSIG TTL is the Signed RRset TTL *Zones are signed daily o Unsigned vs signed(at startup) 2.5M /usr/local/var/opendnssec/unsigned/ 7.4M /usr/local/var/opendnssec/signed/
  • 8.
    DNSSEC @ AfriNIC oQuery for our signed zones ? Dig @dnssec.mu.afrinic.net We publish all the managed RDNS Zones o HSM included in RPKI infrastructure
  • 9.