dnssec signer switchover experience
play

DNSSEC Signer Switchover experience Alain Patrick AINA Former: - PowerPoint PPT Presentation

Feb 22, 2023 •314 likes •444 views

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN Alain.Aina@wacren.net Disclaimer This switchover was done at AFRINIC https://www.afrinic.net/en/initiatives/dnssec

  1. DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN Alain.Aina@wacren.net

  2. Disclaimer This switchover was done at AFRINIC https://www.afrinic.net/en/initiatives/dnssec https://afrinic.net/blog/67-migrating-an-opendnssec-signer

  3. Context ü Old signer on Opendnssec ü Keys in SoftHSM ü KSK/ZSK, NSEC ü RSASHA256 ü Sqlite database ü Zone signing issues noted ü Workarounds until migration

  4. Motivations ü Migrate to a newer version which is more stable, secure and scalable with : ü MySql database ü New version of SoftHSM ü Keys in SoftHSM ü Same key algorithms and size ü Same policies ü Etc. ¡ ¡

  5. Strategy ¡ ü No private key export ü No fresh start ü Keep validation state of all signed zones all the time ü Migrate with keys rollover ¡

  6. Architecture

  7. Pre ¡publish ¡DNSKEY ¡& ¡double ¡DS ¡

  8. Before switchov er ¡ KSK New signer: 20119 ZSK New signer : 58890

  9. After switchover

  10. Final before old DS removal

  11. And so.. ¡ ü It requires careful consideration of the planning and various timings ü Signatures lifetime ü TTLs ü Keys management ü Switchover ü Etc.. ü It works out very well ü No crash ü No alert ¡ ¡

  12. Conclusions ü Good experience ü Would have been a different story with keys in HSM ü Will do same thing next time ü Excerpt Pre-publishing KSKs ¡

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com Typical Signer (I am not a graphic artist!) time signer zone

463 views • 19 slides
AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1 African RIR RIR for the African and Indian Ocean region Community-driven through policy

610 views • 18 slides
Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
Simulating Space Use of Animals from RSF and SSF Johannes Signer ( signer_j) Wildlife

Simulating Space Use of Animals from RSF and SSF Johannes Signer ( signer_j) Wildlife

Simulating Space Use of Animals from RSF and SSF Johannes Signer ( signer_j) Wildlife Sciences, Georg-August-Universitt Gttingen Movebank Workshop SCENE 2019-05-02 Johannes Signer ( jsigner@gwdg.de, signer_j, jmsigner) 1/18

338 views • 33 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Monopoly and the Incentive to Innovation When Adoption Involves Switchover Disruptions June 2,

Monopoly and the Incentive to Innovation When Adoption Involves Switchover Disruptions June 2,

Monopoly and the Incentive to Innovation When Adoption Involves Switchover Disruptions June 2, 2008 Thomas J. Holmes, David K. Levine and James A. Schmitz Jr. The Impact of Competition on Adoption of Cost Reducing Innovation Evidence:

198 views • 19 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Fresh Start with A Course in Miracles in the New Year. R O B E R T P E R R Y E M I L Y B E N N

Fresh Start with A Course in Miracles in the New Year. R O B E R T P E R R Y E M I L Y B E N N

C I R C L E O F A T O N E M E N T C I R C L E O F A . O R G Fresh Start with A Course in Miracles in the New Year. R O B E R T P E R R Y E M I L Y B E N N I N G T O N The Course talks about having a different year by

772 views • 19 slides
Moving from Principle to Moving from Principle to Execution Execution Applications of the

Moving from Principle to Moving from Principle to Execution Execution Applications of the

Moving from Principle to Moving from Principle to Execution Execution Applications of the Risk-Dosage Relationship Kimberly Gentry Sperber, Ph.D. Today s Session s Session Today Review of the risk principle Discussion of

578 views • 42 slides
Bank On Financial Education Standards Financial Education Barriers ? The Power of Collaboration:

Bank On Financial Education Standards Financial Education Barriers ? The Power of Collaboration:

Bank On Cowlitz Bank On Kitsap Bank On North Sound Bank On Pierce County Bank On Seattle-King County Bank On Spokane Bank On Thurston Bank On Yakima Bank On Financial Education Standards Financial Education

482 views • 8 slides
Supporting a Fresh Start Linking Individuals with Benefits upon Release from Incarceration

Supporting a Fresh Start Linking Individuals with Benefits upon Release from Incarceration

Supp Suppor orting a ng a Fresh Star esh Start: Linking Individuals with Linking Individuals with Benef Benefits upo upon R Release fr lease from om Incar Incarcera eratio ion Jason Jason Sauer Sauer, Deputy Assistant Director,

574 views • 19 slides
Pond and greenway invasive plant management Background: Engineering owns and maintains

Pond and greenway invasive plant management Background: Engineering owns and maintains

Pond and greenway invasive plant management Background: Engineering owns and maintains approximately 1,200 acres of storm water drainage ponds and greenway corridors Vegetation varies- approx. 60% are prairie, many are mowed grass, some

287 views • 13 slides
THE GOAL: Repurpose Fort Lyon and Create Solutions for Veteran and Chronic Homelessness 1

THE GOAL: Repurpose Fort Lyon and Create Solutions for Veteran and Chronic Homelessness 1

THE GOAL: Repurpose Fort Lyon and Create Solutions for Veteran and Chronic Homelessness 1 CHALLENGE: Unused capacity at Fort Lyon The Fort Lyon VA Hospital provided a caring community to veterans for over 100 years until 2002 when the property

209 views • 18 slides
FY 2020-2021 LEGISLATIVE APPROPRIATIONS REQUEST (LAR) OVERVIEW Texas Transportation Commission

FY 2020-2021 LEGISLATIVE APPROPRIATIONS REQUEST (LAR) OVERVIEW Texas Transportation Commission

FY 2020-2021 LEGISLATIVE APPROPRIATIONS REQUEST (LAR) OVERVIEW Texas Transportation Commission May 24, 2018 May 24, 2018 Legislative Appropriation Request Discussion Discussion Topics 1 Capital Budget 3-5 2 Full Time Equivalent (FTE)

419 views • 9 slides
Cerritos College 2017-18 Adopted Budget Presented By: Dr. Jose Fierro and Felipe Lopez September

Cerritos College 2017-18 Adopted Budget Presented By: Dr. Jose Fierro and Felipe Lopez September

Cerritos College 2017-18 Adopted Budget Presented By: Dr. Jose Fierro and Felipe Lopez September 6, 2017 Key Assumptions History of COLA California Community Year Statutory COLA Colleges COLA 2009-10 4.25% 0.00% 2010-11 -0.39% 0.00%

372 views • 12 slides

More recommend