SlideShare a Scribd company logo

DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

APNIC
APNIC

Presentation by Nguyen Trung Kien at APRICOT 2017 on Tuesday, 28 February 2017.

Internet
1 of 23
DNSSEC Deployment for .VN Nguyen Trung Kien | Ho Chi Minh City | Feb 2017 MINISTRY OF INFORMATION AND COMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER
Overview Preparations Deployment Next Plan www.vnnic.vn
Current Status for DNSSEC Deployment • For TLDs (24 Jan 2017): o 1528 TLDs in the root zone in total o 1383 TLDs are signed (~ 90%) • For ccTLDs: www.vnnic.vn
DNSSEC in Vietnam • From 2012 Experimental • 10/2014 Announced • 2015 Partial • 2016 DS in Root • 2017 - Operational 1. Experimental:  Attended the forum, conference  Research for DNSSEC 2. Announced:  DNSSEC OT&E  Training 3. Partial  Signing & Roller Key  Tools & software development 4. DS in Root:  Generation & submission  Monitoring 5. Operational:  Support to deploy DNSSEC  Upgrades and improvements  Debugging www.vnnic.vn
Preparations www.vnnic.vn
DNSSEC Plan 2015 • Preparation • Planning • Preparing human and technical resources • Promote co-operate activities, training • Policy, procedure, process 2016 • Implementation • Key generation & zone signing for .VN • .VN zone is signed & DS has been published to DNS ROOT • Continue promotion activities, training 2017 • Accomplishment • Upgrade SRS to support EPP • ISP, Registrar, DNS Owner in Vietnam www.vnnic.vn
DNSSEC in 2016 No. Tasks 1 DNSSEC Plan for .VN domain name 2 Established DNSSEC team & Training skills 3 Infrastructure for DNSSEC: - Topology: DC/DR - DNSSEC System: DNS/DNSSEC server & HSM 4 DNSSEC documents & DPS 5 DNSSEC Production for VN zone: - DNS & HSM Integrated - Inline-signing bump in the wire - DNSSEC Monitoring 6 SRS-EPP OTE support DNSSEC 7 Key signing ceremony scripts 8 Signing VN zone & update DS to root www.vnnic.vn
Topology • Resilient: built with DC and DR (HN & HCM city) o Active – stanby, each site serve as a backup to the other. o Each site contains two independent instances of equipment which is able to sign the .VN zone • Policy: o Private keys are stored in HSM o Public keys are stored in zone data (DNSKEY record), publish to the community • Roles for signing key operator: o KGA (Key Generation Administrator) o SA (System Administrator) o SO (Security Officer) o WI (Witness) • Activities: o Key generation (KSK, ZSK) o Key rollover (KSK, ZSK) o Key revocation (KSK, ZSK) www.vnnic.vn
Topology (cont.) www.vnnic.vn
Security Area 1. Security Area 3 - Network Operations Center (NOC) - Authentication: Fingerprint, SmartCard 2. Security Area 2 - Server Room - Authentication: SmartCard 3. Security Area 1 - DNSSEC Cage: o Cabinet 3: KGA, SA, SO access o Cabinet 2: SA (Facility, Network) access o Cabinet 1: SA (DNS, HSM), SO access - Authentication: Fingerprint, Password Facility, Network DNS/DNSSEC, HSM Sercurity Area 2 Security Area 3 Security Area 1 Cabinet2 Cabinet1 Cabinet3 HSM Smartcard Key, Card www.vnnic.vn
KSK: • Private/Public Key pair • Key Algorithm: RSA/SHA-256 • Key size: 2048 • Manual rollover ZSK: • Private/Public Key pair • Key Algorithm: RSA/SHA 256 • Key size: 1024 • Automatic rollover Key Parameters Key Type Funcition Algorithm Key length NSEC/NSEC3 KSK Sign DNSKEY RSA-SHA256 2048 bits NSEC3 ZSK Sign RRSET 1024 bits Key Type Key Rollover Signing Validity Refresh Time KSK 12 months ZSK 90 days 30 days 7.5 days www.vnnic.vn
• Key Generation: o HSM Master gererate and store new KSK, ZSK o HSM Master synchonize the key to other HSM (Manual synchonize) o DNSSEC Signer loads key label from HSM (only private key) o DNSSEC Signer config the DNSSEC keys, HSM will use private key to sign data. o Update DS to the parent zone (only with KSK generation) o Require a KGA, SA, SO, WI • Key Rollover: o ZSK Rollover: Pre-Publish; KSK Rollover: Double Signing o Time to rollover: KSK: 30 days before key expires. ZSK: 2 days before key expires. o Procedure: ZSK: Automatic rollover – by script. KSK: Manual rollover – key signing ceremony + update DS to parent zone. Key Generation & Rollover www.vnnic.vn
Deployment www.vnnic.vn
• We deployed a new DNSSEC Production system: o New DNSSEC Hidden/Master o Zone transfer from DNS Hidden/Master to DNSSEC Hidden/Master • Zone signing VN zone on DNSSEC production: o DC-DR model. o Signing with HSM Cluster (4 DNSSEC Signer/HSM) • DNS services (without DNSSEC) on-line for resolving, DNSSEC services off-line for trial operation Zone Signing Zone Generation Hidden Master Name Servers Signer box Test Name Servers www.vnnic.vn
• Key Signing Ceremony for VN zone (20 Dec 2016): o Internal Ceremony in VNNIC o Key Generation for VN zone (KSKs, ZSKs) • Change DNS Master to DNSSEC master to publish vn signed zone. • Check DNS Secondary after zone transfer vn signed zone (only for 5 minutes) • Passed IANA’s validation for DS Record of .VN • DS for .VN becomes effective in 31 Dec 2016 in the root zone DNSSEC Online Zone Generation Hidden Master Name Servers Signer box www.vnnic.vn
• Use Nagios for monitor DNSSEC system • Monitoring: o Zone size o Signature Expiry o Zone signing process o KSK, ZSK parameters DNSSEC Monitoring www.vnnic.vn
Next Plan www.vnnic.vn
No. Tasks 1 Sign DNSSEC for: • Sub-domain SLD, example: com.vn, net.vn, provinces domain… • Reserve domain • VNNIC’s domain 2 Open testbed for Registrar to update DS 3 Support, training ISP, DNS Hosting Provider, DNS Owner to deploy DNSSEC DNSSEC in 2017 www.vnnic.vn
• Network: o DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes  Increase Bandwidth. o Allow DNS query over TCP o Handle large UDP packets (>512 bytes, ≤4,000 bytes). • Pre-Deployment: o Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+ o Server systems are sufficiently modern o Large UDP DNS packets are allowed through firewall o UDP fragments are not blocked by firewall DNSSEC for ISPs www.vnnic.vn
• Upgrade secdns-1.1 for EPP system for support DNSSEC. • Connect to VNNIC’s EPP system. DNSSEC for Registrars www.vnnic.vn
• Upgrade DNS to support DNSSEC. • Implement Signing box • Connect to registrar to update DS records. • Recommendation: o Signing box:  Open Source (BIND, NSD, opendnssec, softhsm…)  Hardware (HSM) o Operation:  Follow policies, procedures  Key management (KSK, ZSK)  Key parameters (Algorithm, key size, NSEC/NSEC3) DNSSEC for DNS Hosting Providers www.vnnic.vn
• How to push ISP, DNS Hosting to support DNSSEC? • Automated DS change with RFC 7344 “Automating DNSSEC Delegation Trust Maintenance” https://tools.ietf.org/html/rfc7344 Conclusion www.vnnic.vn
Thank you! www.vnnic.vn

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 

Recommended

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
DNSSEC Validation Tutorial
DNSSEC Validation TutorialDNSSEC Validation Tutorial
DNSSEC Validation Tutorial
APNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
APNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
AFRINIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
APNIC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
Haystack Technologies
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7
Haystack Technologies
 
ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health Indicators
APNIC
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election Procedures
APNIC
 

More Related Content

What's hot

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
AFRINIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
Carlos Martinez Cagnazzo
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
APNIC
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
APNIC
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
APNIC
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
APNIC
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
Haystack Technologies
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7
Haystack Technologies
 

What's hot (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
DNS Abuse Handling
DNS Abuse HandlingDNS Abuse Handling
DNS Abuse Handling
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7Haystack Integration of NFC and DASH7
Haystack Integration of NFC and DASH7
 

Viewers also liked

ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health Indicators
APNIC
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election Procedures
APNIC
 
IDNOG Update
IDNOG UpdateIDNOG Update
IDNOG Update
APNIC
 
EC Election Candidate Speeches
EC Election Candidate SpeechesEC Election Candidate Speeches
EC Election Candidate Speeches
APNIC
 
APNIC Activity Report 2016
APNIC Activity Report 2016APNIC Activity Report 2016
APNIC Activity Report 2016
APNIC
 
BTNOG Update
BTNOG UpdateBTNOG Update
BTNOG Update
APNIC
 
HKNOG Update
HKNOG UpdateHKNOG Update
HKNOG Update
APNIC
 
A Review of Community Network Technological Platform
A Review of Community Network Technological PlatformA Review of Community Network Technological Platform
A Review of Community Network Technological Platform
APNIC
 
NOG Reports
NOG ReportsNOG Reports
NOG Reports
APNIC
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
APNIC
 
IPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in BangladeshIPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in Bangladesh
APNIC
 
NAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolNAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful tool
APNIC
 
APIX Report
APIX ReportAPIX Report
APIX Report
APNIC
 
Taiwan IPv6 Measurement
Taiwan IPv6 MeasurementTaiwan IPv6 Measurement
Taiwan IPv6 Measurement
APNIC
 
IPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudRENIPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudREN
APNIC
 
APNIC 43 Vote of Thanks
APNIC 43 Vote of ThanksAPNIC 43 Vote of Thanks
APNIC 43 Vote of Thanks
APNIC
 
EURO-IX BMC - Benchmarking
EURO-IX BMC - BenchmarkingEURO-IX BMC - Benchmarking
EURO-IX BMC - Benchmarking
APNIC
 
The trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route serversThe trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route servers
APNIC
 
APNIC 44 Update
APNIC 44 UpdateAPNIC 44 Update
APNIC 44 Update
APNIC
 
Unknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping PollersUnknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping Pollers
APNIC
 

Viewers also liked (20)

ITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health IndicatorsITHI: Identifier Technologies Health Indicators
ITHI: Identifier Technologies Health Indicators
 
APNIC EC Election Procedures
APNIC EC Election ProceduresAPNIC EC Election Procedures
APNIC EC Election Procedures
 
IDNOG Update
IDNOG UpdateIDNOG Update
IDNOG Update
 
EC Election Candidate Speeches
EC Election Candidate SpeechesEC Election Candidate Speeches
EC Election Candidate Speeches
 
APNIC Activity Report 2016
APNIC Activity Report 2016APNIC Activity Report 2016
APNIC Activity Report 2016
 
BTNOG Update
BTNOG UpdateBTNOG Update
BTNOG Update
 
HKNOG Update
HKNOG UpdateHKNOG Update
HKNOG Update
 
A Review of Community Network Technological Platform
A Review of Community Network Technological PlatformA Review of Community Network Technological Platform
A Review of Community Network Technological Platform
 
NOG Reports
NOG ReportsNOG Reports
NOG Reports
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
 
IPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in BangladeshIPv6 Deployment Status in Bangladesh
IPv6 Deployment Status in Bangladesh
 
NAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful toolNAT64/DNS64 experiments, warnings and one useful tool
NAT64/DNS64 experiments, warnings and one useful tool
 
APIX Report
APIX ReportAPIX Report
APIX Report
 
Taiwan IPv6 Measurement
Taiwan IPv6 MeasurementTaiwan IPv6 Measurement
Taiwan IPv6 Measurement
 
IPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudRENIPv6 Deployment: Case of Sudan/SudREN
IPv6 Deployment: Case of Sudan/SudREN
 
APNIC 43 Vote of Thanks
APNIC 43 Vote of ThanksAPNIC 43 Vote of Thanks
APNIC 43 Vote of Thanks
 
EURO-IX BMC - Benchmarking
EURO-IX BMC - BenchmarkingEURO-IX BMC - Benchmarking
EURO-IX BMC - Benchmarking
 
The trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route serversThe trend stats of routing table at JPIX route servers
The trend stats of routing table at JPIX route servers
 
APNIC 44 Update
APNIC 44 UpdateAPNIC 44 Update
APNIC 44 Update
 
Unknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping PollersUnknown Unicast Traffic and Ping Pollers
Unknown Unicast Traffic and Ping Pollers
 

Similar to DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
Deploy360 Programme (Internet Society)
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Defcon
DefconDefcon
Defcon
OpenDNS
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
laurenrprice
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
APNIC
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
Kumar Ashutosh
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Lksn2017 itnsa modul2
Lksn2017 itnsa modul2Lksn2017 itnsa modul2
Lksn2017 itnsa modul2
Verry Hendroprasetyo
 

Similar to DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017 (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain Registry
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Defcon
DefconDefcon
Defcon
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
Building and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast networkBuilding and operating a global DNS content delivery anycast network
Building and operating a global DNS content delivery anycast network
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server
 
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SIION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Lksn2017 itnsa modul2
Lksn2017 itnsa modul2Lksn2017 itnsa modul2
Lksn2017 itnsa modul2
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 

Recently uploaded (20)

Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 

DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017

  • 1. DNSSEC Deployment for .VN Nguyen Trung Kien | Ho Chi Minh City | Feb 2017 MINISTRY OF INFORMATION AND COMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER
  • 3. Current Status for DNSSEC Deployment • For TLDs (24 Jan 2017): o 1528 TLDs in the root zone in total o 1383 TLDs are signed (~ 90%) • For ccTLDs: www.vnnic.vn
  • 4. DNSSEC in Vietnam • From 2012 Experimental • 10/2014 Announced • 2015 Partial • 2016 DS in Root • 2017 - Operational 1. Experimental:  Attended the forum, conference  Research for DNSSEC 2. Announced:  DNSSEC OT&E  Training 3. Partial  Signing & Roller Key  Tools & software development 4. DS in Root:  Generation & submission  Monitoring 5. Operational:  Support to deploy DNSSEC  Upgrades and improvements  Debugging www.vnnic.vn
  • 6. DNSSEC Plan 2015 • Preparation • Planning • Preparing human and technical resources • Promote co-operate activities, training • Policy, procedure, process 2016 • Implementation • Key generation & zone signing for .VN • .VN zone is signed & DS has been published to DNS ROOT • Continue promotion activities, training 2017 • Accomplishment • Upgrade SRS to support EPP • ISP, Registrar, DNS Owner in Vietnam www.vnnic.vn
  • 7. DNSSEC in 2016 No. Tasks 1 DNSSEC Plan for .VN domain name 2 Established DNSSEC team & Training skills 3 Infrastructure for DNSSEC: - Topology: DC/DR - DNSSEC System: DNS/DNSSEC server & HSM 4 DNSSEC documents & DPS 5 DNSSEC Production for VN zone: - DNS & HSM Integrated - Inline-signing bump in the wire - DNSSEC Monitoring 6 SRS-EPP OTE support DNSSEC 7 Key signing ceremony scripts 8 Signing VN zone & update DS to root www.vnnic.vn
  • 8. Topology • Resilient: built with DC and DR (HN & HCM city) o Active – stanby, each site serve as a backup to the other. o Each site contains two independent instances of equipment which is able to sign the .VN zone • Policy: o Private keys are stored in HSM o Public keys are stored in zone data (DNSKEY record), publish to the community • Roles for signing key operator: o KGA (Key Generation Administrator) o SA (System Administrator) o SO (Security Officer) o WI (Witness) • Activities: o Key generation (KSK, ZSK) o Key rollover (KSK, ZSK) o Key revocation (KSK, ZSK) www.vnnic.vn
  • 10. Security Area 1. Security Area 3 - Network Operations Center (NOC) - Authentication: Fingerprint, SmartCard 2. Security Area 2 - Server Room - Authentication: SmartCard 3. Security Area 1 - DNSSEC Cage: o Cabinet 3: KGA, SA, SO access o Cabinet 2: SA (Facility, Network) access o Cabinet 1: SA (DNS, HSM), SO access - Authentication: Fingerprint, Password Facility, Network DNS/DNSSEC, HSM Sercurity Area 2 Security Area 3 Security Area 1 Cabinet2 Cabinet1 Cabinet3 HSM Smartcard Key, Card www.vnnic.vn
  • 11. KSK: • Private/Public Key pair • Key Algorithm: RSA/SHA-256 • Key size: 2048 • Manual rollover ZSK: • Private/Public Key pair • Key Algorithm: RSA/SHA 256 • Key size: 1024 • Automatic rollover Key Parameters Key Type Funcition Algorithm Key length NSEC/NSEC3 KSK Sign DNSKEY RSA-SHA256 2048 bits NSEC3 ZSK Sign RRSET 1024 bits Key Type Key Rollover Signing Validity Refresh Time KSK 12 months ZSK 90 days 30 days 7.5 days www.vnnic.vn
  • 12. • Key Generation: o HSM Master gererate and store new KSK, ZSK o HSM Master synchonize the key to other HSM (Manual synchonize) o DNSSEC Signer loads key label from HSM (only private key) o DNSSEC Signer config the DNSSEC keys, HSM will use private key to sign data. o Update DS to the parent zone (only with KSK generation) o Require a KGA, SA, SO, WI • Key Rollover: o ZSK Rollover: Pre-Publish; KSK Rollover: Double Signing o Time to rollover: KSK: 30 days before key expires. ZSK: 2 days before key expires. o Procedure: ZSK: Automatic rollover – by script. KSK: Manual rollover – key signing ceremony + update DS to parent zone. Key Generation & Rollover www.vnnic.vn
  • 14. • We deployed a new DNSSEC Production system: o New DNSSEC Hidden/Master o Zone transfer from DNS Hidden/Master to DNSSEC Hidden/Master • Zone signing VN zone on DNSSEC production: o DC-DR model. o Signing with HSM Cluster (4 DNSSEC Signer/HSM) • DNS services (without DNSSEC) on-line for resolving, DNSSEC services off-line for trial operation Zone Signing Zone Generation Hidden Master Name Servers Signer box Test Name Servers www.vnnic.vn
  • 15. • Key Signing Ceremony for VN zone (20 Dec 2016): o Internal Ceremony in VNNIC o Key Generation for VN zone (KSKs, ZSKs) • Change DNS Master to DNSSEC master to publish vn signed zone. • Check DNS Secondary after zone transfer vn signed zone (only for 5 minutes) • Passed IANA’s validation for DS Record of .VN • DS for .VN becomes effective in 31 Dec 2016 in the root zone DNSSEC Online Zone Generation Hidden Master Name Servers Signer box www.vnnic.vn
  • 16. • Use Nagios for monitor DNSSEC system • Monitoring: o Zone size o Signature Expiry o Zone signing process o KSK, ZSK parameters DNSSEC Monitoring www.vnnic.vn
  • 18. No. Tasks 1 Sign DNSSEC for: • Sub-domain SLD, example: com.vn, net.vn, provinces domain… • Reserve domain • VNNIC’s domain 2 Open testbed for Registrar to update DS 3 Support, training ISP, DNS Hosting Provider, DNS Owner to deploy DNSSEC DNSSEC in 2017 www.vnnic.vn
  • 19. • Network: o DNSSEC adds digital signatures to DNS response packets, which often exceed 1,500 bytes  Increase Bandwidth. o Allow DNS query over TCP o Handle large UDP packets (>512 bytes, ≤4,000 bytes). • Pre-Deployment: o Software supports DNSSEC: BIND version 9.7+, Unbound version 1.4+, Microsoft Windows Server 2012, Knot DNS 1.4.0, PowerDNS 3.0+ o Server systems are sufficiently modern o Large UDP DNS packets are allowed through firewall o UDP fragments are not blocked by firewall DNSSEC for ISPs www.vnnic.vn
  • 20. • Upgrade secdns-1.1 for EPP system for support DNSSEC. • Connect to VNNIC’s EPP system. DNSSEC for Registrars www.vnnic.vn
  • 21. • Upgrade DNS to support DNSSEC. • Implement Signing box • Connect to registrar to update DS records. • Recommendation: o Signing box:  Open Source (BIND, NSD, opendnssec, softhsm…)  Hardware (HSM) o Operation:  Follow policies, procedures  Key management (KSK, ZSK)  Key parameters (Algorithm, key size, NSEC/NSEC3) DNSSEC for DNS Hosting Providers www.vnnic.vn
  • 22. • How to push ISP, DNS Hosting to support DNSSEC? • Automated DS change with RFC 7344 “Automating DNSSEC Delegation Trust Maintenance” https://tools.ietf.org/html/rfc7344 Conclusion www.vnnic.vn