DNSSEC.CZ CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip - - PowerPoint PPT Presentation

1

DNSSEC.CZ

CZ.NIC - http://www.nic.cz Ondrej Filip / ondrej.filip@nic.cz Oct 26 2011, Dakar, ICANN DNSSEC WS

2

DNSSEC penetration

• About 17% domains is signed
• That means ~ 145.000 domains! (of

856.000)

• Check numbers at http://www.nic.cz

3

Common complaints

• There is no business case
• Registrars do not want it
• Registrants do not want it
• It is too expensive
• It is too complicated
• Chicken and egg

4

Our philosophy

• Somebody must start it up
• Security is not a special service
• Security is a feature, natural part of

domains

• Registry responsibility
• We need to find allies - ISPs, registrars,

content providers, end-users

5

Communication with registrars

• Seminars before, after DNSSEC launch
• Nice conditions – no fee
• DNSSEC training
• Technical and economical incentives for

registrars

6

Co-marketing

• Registrar & CZ.NIC together
• Cost split 50:50
• Maximum limit is based on registrar

performance

• 7% of price given back
• DNSSEC bonus – another 10%
• One DNSSEC campaign already during 2009

$£¥ $£¥

7

End user education

• Increase the awareness … always good
• Presenting and explaining attacks against DNS
• Communication with important players
• Marketing communication – Dobra domena
• Czech EU presidency – eu2009.cz - signed
• http://www.dobradomena.cz/#/en/security/
• DNSSEC tools
• Research Labs http://labs.nic.cz
• Open source

8

DNSSEC Education

• Good Domain campaign
• Secure domains campaign

9

• Test DNSSEC compatibility – device (and

network)

• On-line database - EN/CZ/HU
• Windows / Linux / Mac OS supported
• Download at www.dnssectester.cz

10

DNSSEC Validator

• Firefox add-ons - Shows icon similar to 'https'
• Validates domain name in the address bar
• No DNSSEC, broken DNSSEC, functional

DNSSEC

• Download at: http://www.dnssec-validator.cz/
• (Or search for DNSSEC at Mozilla Add-ons)
• Working on Chrome, ...

11

Open validating resolvers

• Do you have a validating resolver?
• Go to www.dnssec.cz and check:
• Public validating DNSSEC resolvers
• http://labs.nic.cz/odvr

12

After launch

• Some registrars started to offer DNSSEC
• But as a bundle in 'secure domain' product
• For small additional fee

2008-09 2008-10 2008-11 2008-12 2009-01 2009-02 2009-03 2009-04 2009-05 2009-06 2009-07 2009-08 2009-09 2009-10 2009-11 2009-12

200 400 600 800 1000 1200 1400 1600

13

But later

2008-09 2008-12 2009-03 2009-06 2009-09 2009-12 2010-03 2010-06 2010-09 2010-12 2011-03 2011-06 2011-09 20000 40000 60000 80000 100000 120000 140000 160000

14

DNSSEC

• Three registrars enabled DNSSEC by default

– domains on their DNS servers

• No additional fee
• Marketing advantage
• Well communicated – very good media

coverage

• Synergy with other TLDs (like .eu)
• 11 registrars have more than 100 signed

domains each – more than 90% of mkt share

15

Forecast (in Qs)

09-Q3 09-Q4 10-Q1 10-Q2 10-Q3 10-Q4 11-Q1 11-Q2 11-Q3 11-Q4 12-Q1 11-Q2 50000 100000 150000 200000 250000 300000 350000 400000

16

Conclusion

• DNSSEC can be deployed at larger scale
• It is not so complicated
• Registry can/should start it up
• Currently we are working on validation side and

important domains

• Czech Republic - the most secured DNS in the

world :-) - and we go on...

17

Thank you Questions?

Ondrej Filip

• ndrej.filip@nic.cz

http://www.dnssec.cz