DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in - - PowerPoint PPT Presentation

dnssec in at and beyond
SMART_READER_LITE
LIVE PREVIEW

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in - - PowerPoint PPT Presentation

Jan 31, 2023 9 likes •110 views

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

slide-1
SLIDE 1

ICANN 50

Alexander Mayrhofer alexander.mayrhofer@nic.at

DNSSEC in .at (and beyond)

Panel discussion „DNSSEC activities in Europe“ DNSSEC workshop

Jun 25 2014 London, UK

slide-2
SLIDE 2

DNSSEC Services

n ccTLD: .at

l DNSSEC in production since Feb 2012

n Registry-in-a-Box: 7+ new gTLDs

n DNSSEC mandatory

n RcodeZero Anycast DNS

l Bump-in-the-wire signing

ICANN 50

2

slide-3
SLIDE 3

.at Timeline

ICANN 50

3 Testbed

Feb 2011

DUatZ

Dez 14 2012

DS in root

Feb 09 2012

EPP

Feb 29 2012

slide-4
SLIDE 4

PR „fallout“

n DS-record „handover“ to IANA staff

l In person during CENTR meeting Salzburg

n Press release with first DNSSEC customer

l austria.at (tourism company)

n DNSSECCO J n 4 articles in newspapers and IT magazines

ICANN44

4

slide-5
SLIDE 5

.at Specifics (technical)

n Software: OpenDNSSEC

l HSMs: Thales l 2 independent signing/validation chains

n Additional Emergency Key for TLDs

l DS in the root (but not currently used for signing) l Completely independent Infrastructure

n Multiple „validation“ mechanisms on the Zone

l Prevent publication of broken/incomplete zone

n Pre-generated emergency zone

l „now + one week“ serial with today‘s contents

n EPP: Domain Transfer optionally removes DS

l Unless gaining registrar has indicated to be DNSSEC aware

ICANN44

5

slide-6
SLIDE 6

Registrar Stats Jun 17 2014

ICANN 50

6

432

Registrars

2012: 424

38

DNSSEC „on“

2012: 14

22

DNSSEC „in use“

2012: 9

slide-7
SLIDE 7

Domain Stats Jun 17 2014

ICANN 50

7

1.229.612

.at

2012: 1.146.176

987

DNSSEC

2012: 57

slide-8
SLIDE 8

New gTLDs: Registry-in-a-Box

n Signing setup identical to .at

l Separate Signing Chains l EPP: Transfer does never

remove DS

n Figures:

l TLDs delegated: 7 l 2nd-Level domains signed: 2

(across all 7 TLDs)

8

ICANN 50

slide-9
SLIDE 9

RcodeZero Anycast DNS

n Commercial Anycast service

l Two services: TLD / Registrars

n Registrar-DNS - DNSSEC

l „Bump in the Wire“ signing l Allows for full outsourcing of

key management

l Registry interaction remains

with the Registrar

n Available since Q1/2014

9

ICANN 50

slide-10
SLIDE 10

Thanks for your time!

?

mailto:alexander.mayrhofer@nic.at http://www.nic.at/en/service/technical_information/dnssec/

ICANN 50

10