Download as PDF, PPTX
DNSSEC implementation in Russia
The document discusses the implementation and challenges of DNSSEC in the .ru domain managed by the Technical Center of the Internet (TCI). It highlights the low adoption rates of DNSSEC compared to TLS, with only about 1.4% of name servers having DS records, as well as operational challenges such as expired domain records and the need for registrars to support automatic DNSSEC. TCI provides support for DS records in EPP and aims to educate end users on the importance of DNSSEC.
More Related Content
Similar to DNSSEC implementation in Russia
![Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]](https://cdn.slidesharecdn.com/ss_thumbnails/dnssec-final1425360815-150318234332-conversion-gate01-thumbnail.jpg?width=640&height=640&fit=bounds)
![DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]](https://cdn.slidesharecdn.com/ss_thumbnails/dnssec-cw1410840227-140916002907-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
DNSSEC implementation in Russia
- 1. DNSSEC in .RU Alexander Venedioukhin Technical Centerof the Internet tcinet.ru
- 2. DNSSEC TCI - registries' backboneservices. Runs DNS and domain registration services of .RU, .РФ, .SU, .ДЕТИ, .TATAR
- 3. DNSSEC DNSSEC started in.SU (2011) (first production zone - 23.11.2011) Main zone - .RU - signed in 2012, and .РФ - same year.
- 4. DNSSEC Signed with RSA + NSEC3 ZSKlifetime - 90 days Standard approach: .RU DNSVIZ.NET
- 5. DNSSEC Crypto procedures operator, officerand observer roles restricted access, air-gapped systems (for KSK) KSK - in HSM ZSK - in protected zone-signing machine (internal network) Challenges of routine operations Expired domain with DS - need to redelegate in grace period - how?
- 6. DNSSEC DNSSEC is NOTso popular. Yet Stats: https://statdom.ru/ 5.4 million names .RU and only about 1000 DS records nanoscale deployment
- 7. DNSSEC Compare to TLS(.RU): in September 2017 - 395462 TLS-nodes (HTTPS) Still about 10% of live web nodes Stats: https://statdom.ru/
- 8. DNSSEC Compare to DNS(.RU): in September 2017 - about 70000 name servers Number of zones with DS records -- approximately 1.4% of NS count (Not much meaning) Stats: https://statdom.ru/
- 9. DNSSEC DS record present butDNSSEC is not Cases: replaced name servers; changed administrator; etc, you name it. Expired RRSIGs
- 10. DNSSEC Why? 1. Users/admins -no reason to implement DNSSEC (no validation at client side); 2. Registrars do not support “automatic” DNSSEC; 3. Lack of APIs provided by registrars.
- 11. DNSSEC What we do? Registryhas full support for DS in EPP (including ECDSA 13/14); Requires valid DNSKEY for DS, and checks it. And we try to educate end users
- 12. DNSSEC in .RU Thankyou! Questions? Alexander Venedioukhin TCI http://tcinet.ru/