ke dnssec update
play

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on - PowerPoint PPT Presentation

Jan 06, 2024 •320 likes •449 views

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

  1. .ke DNSSec Update Toilem Poriot Godwin

  2. .ke DNSsec update ¡ Update on what .ke registry experienced ¡ 30th April 2015-- Longest mornings I have ever had. ¡ Day started as usual but takes a turn at 9:30am ¡ Great day turns to a “Dark Day”

  3. What happened ¡ Received call from registrar his .ke domains are not accessible ¡ There are challenges where most registrars have not mastered how to troubleshot DNS ¡ Thought its one of the situations a registrar has DNS misconfiguration on their name server ¡ All domains in my LAN/DNS were accessible

  4. When DNSsec Goes Wrong ¡ All domains in my LAN/DNS were accessible ¡ Government Websites/Domains were accessible ¡ Later I noticed most domains whose nameservers refreshed cache after 5 hour were inaccessible ¡ Question of DNSSec and Inaccessibility of domains later arose---Why these domains were accessible at all-- thought all request to a domains will be rejected if keys/signatures didn't match

  5. Troubleshooting ¡ Started doing DNS troubleshooting on my LAN ¡ Started troubleshooting DNS on registrars LAN/ Server ¡ Thought I should check on DNSSec since all configs were ok. ¡ Alas to my surprise my signatures had expired

  6. Troubleshooting cont.. ¡ My signatures were set to expire a month after the day the signatures were revoked ¡ I had set DNSSec-auto-maintain to on--Big mistake ¡ DNSSec Auto-mantain on is the default setting to some bind versions ¡ Saw my keys as bogus.

  7. Resolve the Problem ¡ Panic... panic... Panic... never experienced a DNSsec breakdown before. ¡ Contacted IANA to remove the DS records from the root---- another big mistake--IANA acts on DNS changes within 24 hours and if everything checks out your request may be completed in 72 hours ¡ .ke domains were offline and our primary contacts were .ke we could not receive IANA's confirmations. This took me around 30 minutes to understand since I could receive emails from other domains. ¡ Return to the option that I should have used first, find my keys That i used to generate the signatures and resign the zone.

  8. Resolve Problem cont…… ¡ Got the keys but for some reason the seemed corrupt. ¡ Found one key with same key tags on DS and resigned the domain ¡ Zone came up but had issues with bogus Serial records. ¡ With this bogus record .ke domains were still accessible--begs the question how DNSSec checks records and blocks queries again????

  9. Preventing future DNSSec Failures ¡ Set DNSSec Automaitain to off ¡ Detailed DNSSec Monitoring ¡ Rigorous test on DNS Server for any bugs report or find a work around

  10. Lessons Learned ¡ If DNSSec fails in a registry environment try restoring your keys than removing DS records ¡ Communication to ¡ Practice on all possible DNSSec Failures. ¡ Check on DNSSec maintain, Compare pros and cons on setting Auto-maintain on or off

  11. END……… Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54

DNS Operator Role Bootstrapping DNSSEC Chain of Trust Update since ICANN53 Buenos Aires ICANN54 Dublin DNSSEC Workshop Latour - October 21, 2015 Last update ICANN53 DNSSEC Workshop June 24, 2015

442 views • 11 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010

DNSSEC Update 27 Aug 2010 Tokyo, Japan DNSSEC Update Signed root published 15 July, 2010 .bg .biz .br .cat .cz .dk .edu .lk .museum .na .org .tm .uk .us already in root. more coming (.se .ch .gov .li .my .nu .pr .th) 8 out of

836 views • 30 slides
DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th

DNSSEC update TF MNM, Lyon Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 16 th 2011 DNSSEC validation - Validation rate not rising very much - Interesting to see what will happen after .com signing 2 SURFnet. We make

482 views • 16 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45,

Update on .GOV Matt Larson, VP, Office of the CTO, Verisign DNSSEC Workshop, ICANN 45, 17 October 2012 Background .GOV used by U.S. federal, state and local governments Verisign operates .GOV registry on

223 views • 7 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 $1,000,000 FY 2009 $800,000 Median $765,916 $ in thousands $600,000 FY 2006 FY 2007 FY 2008 $400,000 FY 2009 $200,000 $0 Texas University UC Michigan

1.4k views • 84 slides
Team UC Chile PSB Lab Everything in nature is about Context Motivation Bioluminescence

Team UC Chile PSB Lab Everything in nature is about Context Motivation Bioluminescence

Team UC Chile PSB Lab Everything in nature is about Context Motivation Bioluminescence Motivation sustainability Motivation Cycles ? Luxilla Biolamp Background Luxbrick Space Invader made by 2010 Cambridge iGEM team Team UC Chile

329 views • 32 slides
2017 UC - CUCSA Staff Engagement Survey Human Resources and Staff Assembly January 2018 We

2017 UC - CUCSA Staff Engagement Survey Human Resources and Staff Assembly January 2018 We

2017 UC - CUCSA Staff Engagement Survey Human Resources and Staff Assembly January 2018 We provide HR leadership and expertise to create and support a high-performing, inclusive Mission workplace which advances UCRs mission and strategic

717 views • 44 slides
UC Berkeley Campus Climate: Update on Findings and Plans

UC Berkeley Campus Climate: Update on Findings and Plans

UC Berkeley Campus Climate: Update on Findings and Plans Presenta8on to Graduate Assembly Liz Halimah, Assistant Vice Chancellor & Chief of Staff

313 views • 27 slides
New NYSE and NASD Rules Regarding Standards for Listed Companies On November 4, 2003, the

New NYSE and NASD Rules Regarding Standards for Listed Companies On November 4, 2003, the

BUSINESS DEPARTMENT E-NEWS ALERT NOVEMBER 22, 2002 New NYSE and NASD Rules Regarding Standards for Listed Companies On November 4, 2003, the Securities and Exchange Commission (Commission) approved new rules proposed by the New York

287 views • 7 slides
TRANSRADIAL CARDIAC CATHETERIZATION Amanda Ryan, DO, Interventional Cardiologist Heart Care

TRANSRADIAL CARDIAC CATHETERIZATION Amanda Ryan, DO, Interventional Cardiologist Heart Care

TRANSRADIAL CARDIAC CATHETERIZATION Amanda Ryan, DO, Interventional Cardiologist Heart Care Centers of Florida April 13, 2013 TOPICS Historical perspective and current trends Rationale for the radial approach Bleeding complications

982 views • 52 slides
Captain Michael Lloyd RD**, MNM,FNI,RNR Why Is the Ship Late? Why Is the Cargo Damaged? Why Are

Captain Michael Lloyd RD**, MNM,FNI,RNR Why Is the Ship Late? Why Is the Cargo Damaged? Why Are

Ultra-Large Vessels Captain Michael Lloyd RD**, MNM,FNI,RNR Why Is the Ship Late? Why Is the Cargo Damaged? Why Are the Containers Lost? Why Do Ships Sink? Container Losses In its 2014 survey, the WSC received reports from carriers

714 views • 16 slides
Park Assist Flank Guard Hands Free Rear camera Around View Mnitor Ultrasonic sensors (Rear

Park Assist Flank Guard Hands Free Rear camera Around View Mnitor Ultrasonic sensors (Rear

Vehicle Technologies The Advanced Drivers Assistance Systems Park Assist Flank Guard Hands Free Rear camera Around View Mnitor Ultrasonic sensors (Rear and front) parking Consistency between the 1968 Convention on Road Traffic and other

347 views • 7 slides

More recommend