afrinic r dnssec infrastructure
play

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated - PowerPoint PPT Presentation

Mar 07, 2023 •422 likes •610 views

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1 African RIR RIR for the African and Indian Ocean region Community-driven through policy

  1. AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1

  2. African RIR ● RIR for the African and Indian Ocean region ● Community-driven through policy discussion ● Allocation of IPv4, IPv6 and ASN ● Maintains WHOIS database ● Provides security services for resources: RPKI, IRR, DNSSEC ● Provides IPv6 and other trainings ● Since 2016 => AfriNIC Labs 2

  3. AfriNIC DNS Programmes • African Root Server Copy (AfRSCP) – 6 Root Servers (K and L) • AfriNIC supported RFC5855 servers – “c.in-addr.arpa” and “c.ip6.arpa” • African DNS Support Programme (AfDSP) – Free secondary/slave to African ccTLDs (~30) 3

  4. RDNS >$ host 192.0.32.7 7.32.0.192.in-addr.arpa domain name pointer www.icann.org. 4

  5. DNSSEC@AfriNIC • AfriNIC operates RDNS for its IPv4 and IPv6 zones – 0.c.2.ip6.arpa. – 3.4.1.0.0.2.ip6.arpa. – 2.4.1.0.0.2.ip6.arpa. – {41,196,197,102,105,154}.in-addr.arpa. • Member signs their reverse zones and sends DS records to AfriNIC 196.216/16 ----> 216.196.in-addr.arpa 5

  6. WHOIS Domain object do domain: 2 : 2.9 .9.0 .0.0 .0.8 .8.f .f.3 .3.4 .4.1 .1.0 .0.0 .0.2 .2.i .ip6 p6.a .arpa pa de descr: rDNS for or 2001:43f8:92::/4 /48 - AF AFRINIC C CP CPT OPS or org: g: ORG ORG-AF AFNC1 C1-AF AFRINIC ad admin-c: c: IT7-AF AFRINIC tech-c: te c: IT7-AF AFRINIC zo zone-c: c: IT7-AF AFRINIC ns nser erver er: ns : ns1.a 1.afrini nic.net .net ns nser erver er: ns : ns3.a 3.afrini nic.net .net ns nser erver er: ns : ns2.a 2.afrini nic.net .net ds ds-rd rdata ta: 2842 8 2 c2 c2e3b07f192cf cfdb0f0395e66f446ce ce02e9484e22fb787a17f7babe91547 d3 d3ed4 d4 re remark rks: A : AFRINI NIC C CPT O OPS mn mnt-by by: AFRI RINIC-IT IT-MN MNT mn mnt-lo lowe wer: AF AFRINIC-IT IT-MN MNT so source: AFRINIC # Filtered 6

  7. MyAFRINIC 7

  8. DNSSEC Policy Parameter Key Length Algorithm KS KSK 2048 bits 2048 RSA RS ZSK ZSK 1024 1024 bits RSA RS Signa Si natur ure SHA-256 SH 256 RS RSA • • Rollover TTL: – ZSK: Monthly – DNSKEY: TTL on SOA – KSK: Yearly (double DS) – NSEC: mininum of SOA – RRSIG: lowest TTL • Signature lifetime: 15 days – DS: TTL on NS 8

  9. Architecture 9

  10. 5 Members with DS records • ATI - Agence Tunisienne Internet • CBC EMEA LTD • Posix Systems (Pty) Ltd • RMS Powertronics CC • Rhodes University • AfriNIC Ltd Adoption very very low!!!! 10

  11. Signer Migration Why? • Scalability issues with OpenDNSSEC v1.3 • Large delays for signing of zones • The old signer was stuck into "flush mode" occasionally, leading to members to complain about time to propagate of their changes. • Limited support for AXFR IN and OUT 11

  12. Guiding principles • DNSSEC validation maintained all the time • There should be minimum manual editing of signed zones • Migration should be done as quickly as possible • Interaction with parents is kept to a mininum • Key sizes and algorithms will remain the same 12

  13. Assumptions • No ZSK/KSK rollover in progress in the source signer to prevent situation of having multiple DNSKEY RR • The validity of the signatures is much longer that the TTL of the zone (2 or 3 times bigger) • Source and destination signers are not authoritative DNS servers but are hidden primaries. • Both the source and destination signers are provisioned the same way • The parent zone in-addr.arpa and ip6.arpa accepts Double-DS records for key rollover procedures. 13

  14. Migration Strategies Cr Crit iteria ia Opt Option on 1 Opt Option on 2 Opt Option on 3 Option Opt on 4 Expor Ex port Ke Key rollover Ne New K Keys Existing Ex g keys existing ex ng fo followed b by keys ke ys rollover ro r In Invalidity window NO NO YES NO Key manipulation Ke YES NO NO YES Rol Rollov over time me None Wait for old signatures to Wait for - expire caches to pick up new keys Nu Number o r of f 0 2 1 - interactio in ions wit with parents DN DNSKEY RRset size Same Double Same Same Ex Expos posure of of pr private YES NO: only public keys NO YES exposed keys ke ys 14

  15. Migration timeline 15

  16. Double DS 16

  17. Future work Hosted DNSSEC signer engines for AFRINIC members Implications: • Trust in AfriNIC in managing DNSKEYs • Uptime, SLA, etc 17

  18. AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN Alain.Aina@wacren.net Disclaimer This switchover was done at AFRINIC https://www.afrinic.net/en/initiatives/dnssec

444 views • 12 slides
AfriNIC-11 Meeting IPv6 Deployment on AfriNIC Infrastructure 24th November 2009, Dakar

AfriNIC-11 Meeting IPv6 Deployment on AfriNIC Infrastructure 24th November 2009, Dakar

AfriNIC-11 Meeting IPv6 Deployment on AfriNIC Infrastructure 24th November 2009, Dakar Senegal Hari Kurup AfriNIC (remote presentation) Overview Objective Readiness Assessment Addressing Plan IPv6 Transit Test bed Security,

513 views • 18 slides
AfriNIC Training 2009, 2010 & Beyond Mukom Akong TAMON tamon@afrinic.net Thursday, November

AfriNIC Training 2009, 2010 & Beyond Mukom Akong TAMON tamon@afrinic.net Thursday, November

AfriNIC Training 2009, 2010 & Beyond Mukom Akong TAMON tamon@afrinic.net Thursday, November 26, 2009 2009 Update March Accra, Ghana LIR+IPv6 English March Lagos, Nigeria LIR+IPv6 English April Tunis, Tunisia DNSSEC+IPv6 French

467 views • 10 slides
AFRINIC Update Alan Barrett CEO AFRINIC About AFRINIC Vision: Be the leading force

AFRINIC Update Alan Barrett CEO AFRINIC About AFRINIC Vision: Be the leading force

AFRINIC Update Alan Barrett CEO AFRINIC About AFRINIC Vision: Be the leading force in growing the internet for Africa's sustainable development. AFRINIC is the Regional Internet Registry (RIR) for Africa and the Indian Ocean

451 views • 18 slides
AfriN AfriNIC 11 IC 11 No Novemb ember er 200 2009 AfriNIC Anti-Abuse Group S. Moonesamy

AfriN AfriNIC 11 IC 11 No Novemb ember er 200 2009 AfriNIC Anti-Abuse Group S. Moonesamy

AfriN AfriNIC 11 IC 11 No Novemb ember er 200 2009 AfriNIC Anti-Abuse Group S. Moonesamy sm+afrinic@elandsys.com 1 Whats the AAAG? Open to networks in the AfriNIC region No membership or other fees Stop email abuse Senders and

842 views • 8 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
AFRINIC-11 LOGISTICS AND ANNOUCEMENTS LILLIAN SHARPLEY, COMMUNICATIONS AREA MANAGER AFRINIC-11

AFRINIC-11 LOGISTICS AND ANNOUCEMENTS LILLIAN SHARPLEY, COMMUNICATIONS AREA MANAGER AFRINIC-11

AFRINIC-11 LOGISTICS AND ANNOUCEMENTS LILLIAN SHARPLEY, COMMUNICATIONS AREA MANAGER AFRINIC-11 SPECIAL THANKS AGENDA OVERVIEW 4 th AFRICAN IPv6 CONFERENCE TUESDAY, 24 NOV 2009 MORNING IPv6 Uptake, International ISP, Orange Update on

577 views • 13 slides
Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No

Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No

AfriN AfriNIC 11 IC 11 No Novemb ember er 200 2009 Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No instant solution Social problem AfriNIC 11 - Mail Abuse 2 How we read an email message

336 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
The .de DNSSEC testbed - halftime, no break - Peter Koch <koch@denic.de> Bruxelles, 23

The .de DNSSEC testbed - halftime, no break - Peter Koch <koch@denic.de> Bruxelles, 23

The .de DNSSEC testbed - halftime, no break - Peter Koch <koch@denic.de> Bruxelles, 23 Juin 2010 / Brussel, 23 Juni 2010 .de DNSSEC testbed: roadmap Stage 0 -- DNS 2009-12-01 Unsigned DE zone published on dedicated infrastructure

132 views • 11 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

822 views • 36 slides
Secure Socket Layer Health Assessment Mick Pouw, Eric van den Haak February 5, 2014 Introduction

Secure Socket Layer Health Assessment Mick Pouw, Eric van den Haak February 5, 2014 Introduction

Introduction Research Conclusion Demo Questions Secure Socket Layer Health Assessment Mick Pouw, Eric van den Haak February 5, 2014 Introduction Research Conclusion Demo Questions Introduction 1 Background Research Questions

497 views • 18 slides
Flavors Library for Fast Parallel Lookup Using Custom Radix Trees Presentation ID 23269 Albert

Flavors Library for Fast Parallel Lookup Using Custom Radix Trees Presentation ID 23269 Albert

Flavors Library for Fast Parallel Lookup Using Custom Radix Trees Presentation ID 23269 Albert Wolant Warsaw University of Technology GTC Europe 11 October 2017 1 Acknowledgements Krzysztof Kaczmarski, Ph.D - my Ph.D thesis advisor

1.31k views • 93 slides
PROCUREMENT SERIES: PART I JABSOM Administrators Meeting (JAM) Thursday, August 2, 2018, 9:30

PROCUREMENT SERIES: PART I JABSOM Administrators Meeting (JAM) Thursday, August 2, 2018, 9:30

PROCUREMENT SERIES: PART I JABSOM Administrators Meeting (JAM) Thursday, August 2, 2018, 9:30 am MEB 315 Auditorium PROCUREMENT SERIES: PART I What is Procurement? Micro-Purchases Source Selection Methods Showcase: SPO Price

429 views • 20 slides
Belmont Park Redevelopment Project Update Summary of Public Comments on General Project Plan and

Belmont Park Redevelopment Project Update Summary of Public Comments on General Project Plan and

Belmont Park Redevelopment Project Update Summary of Public Comments on General Project Plan and Draft Environmental Impact Statement 7/8/2019 7/11/2019 Key Project Components (from DEIS and Dec GPP) Key Components from the DEIS 18,000

431 views • 11 slides
Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic

Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic

Rijndael for AES Vincent Rijmen Joan Daemen COSIC Proton World Security Intrinsic security: no algorithm has been broken Implementation attacks (e.g., DPA): Table-lookup and XOR operations only Rijndael lends itself to secure

515 views • 3 slides
Second Presentation to Task Force: Key Findings from System Analysis September 19, 2017 CSG

Second Presentation to Task Force: Key Findings from System Analysis September 19, 2017 CSG

Second Presentation to Task Force: Key Findings from System Analysis September 19, 2017 CSG Justice Center Presenters Nina Salomon, Project Manager, Juvenile Justice Nancy Arrigona, Research Manager Rebecca Cohen, PhD, Research Manager Shanelle

819 views • 68 slides
MACALESTER COLLEGE DEWITT WALLACE LIBRARY SPACE SURVEY & FEEDBACK FALL 2019 HGA MACALESTER

MACALESTER COLLEGE DEWITT WALLACE LIBRARY SPACE SURVEY & FEEDBACK FALL 2019 HGA MACALESTER

MACALESTER COLLEGE DEWITT WALLACE LIBRARY SPACE SURVEY & FEEDBACK FALL 2019 HGA MACALESTER COLLEGE DEWITT WALLACE LIBRARY PROGRAMMING & PLANNING LIBRARY SPACE PLANNING GROUP o Karine Moe , Provost and Dean of Faculty o Angi Faiks ,

761 views • 52 slides
Dudley Branch Library Renovations Martin J. Walsh, Mayor Project #7084 City of Boston Public

Dudley Branch Library Renovations Martin J. Walsh, Mayor Project #7084 City of Boston Public

Dudley Branch Library Renovations Martin J. Walsh, Mayor Project #7084 City of Boston Public Facilities Department Boston Public Library Utile, Inc. Architecture and Planning May 9, 2017 Dudley Branch Library | City of Boston Public

645 views • 37 slides

More recommend