DNSSEC Signer Switchover experience Alain Patrick AINA Former: - PowerPoint PPT Presentation

Feb 22, 2023 •314 likes •444 views

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN Alain.Aina@wacren.net Disclaimer This switchover was done at AFRINIC https://www.afrinic.net/en/initiatives/dnssec

DNSSEC Signer Switchover experience Alain Patrick AINA Former: AFRINIC NOW: WACREN Alain.Aina@wacren.net
Disclaimer This switchover was done at AFRINIC https://www.afrinic.net/en/initiatives/dnssec https://afrinic.net/blog/67-migrating-an-opendnssec-signer
Context ü Old signer on Opendnssec ü Keys in SoftHSM ü KSK/ZSK, NSEC ü RSASHA256 ü Sqlite database ü Zone signing issues noted ü Workarounds until migration
Motivations ü Migrate to a newer version which is more stable, secure and scalable with : ü MySql database ü New version of SoftHSM ü Keys in SoftHSM ü Same key algorithms and size ü Same policies ü Etc. ¡ ¡
Strategy ¡ ü No private key export ü No fresh start ü Keep validation state of all signed zones all the time ü Migrate with keys rollover ¡
Architecture
Pre ¡publish ¡DNSKEY ¡& ¡double ¡DS ¡
Before switchov er ¡ KSK New signer: 20119 ZSK New signer : 58890
After switchover
Final before old DS removal
And so.. ¡ ü It requires careful consideration of the planning and various timings ü Signatures lifetime ü TTLs ü Keys management ü Switchover ü Etc.. ü It works out very well ü No crash ü No alert ¡ ¡
Conclusions ü Good experience ü Would have been a different story with keys in HSM ü Will do same thing next time ü Excerpt Pre-publishing KSKs ¡

Recommend

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM

Towards Set and Forget DNSSEC The beginning of the end of key management? (The Poor Mans HSM Part 2) ccNSO Tech Day, 15 July 2013, Durban, ZA, Richard Lamb, slamb@xtcn.com Typical Signer (I am not a graphic artist!) time signer zone

463 views • 19 slides

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer

AFRINIC (r)DNSSEC Infrastructure ...and how we (silently) migrated a signer Amreesh Phokeer amreesh@afrinic.net R&D ICANN-59 (28 June 2017) 1 African RIR RIR for the African and Indian Ocean region Community-driven through policy

610 views • 18 slides

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0

Research and Innovation By Alain P. AINA 03/12/2015 Department objectives RPKI v2.0 Project: New RPKI system DNSSEC v2.0 Project: New DNSSEC signer IETF activities: Identity and join key WGs and RGs African Internet Resources

308 views • 13 slides

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides

Simulating Space Use of Animals from RSF and SSF Johannes Signer ( signer_j) Wildlife

Simulating Space Use of Animals from RSF and SSF Johannes Signer ( signer_j) Wildlife Sciences, Georg-August-Universitt Gttingen Movebank Workshop SCENE 2019-05-02 Johannes Signer ( jsigner@gwdg.de, signer_j, jmsigner) 1/18

338 views • 33 slides

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides

Monopoly and the Incentive to Innovation When Adoption Involves Switchover Disruptions June 2,

Monopoly and the Incentive to Innovation When Adoption Involves Switchover Disruptions June 2, 2008 Thomas J. Holmes, David K. Levine and James A. Schmitz Jr. The Impact of Competition on Adoption of Cost Reducing Innovation Evidence:

198 views • 19 slides

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides

DNS OPERATIONAL EXPERIENCE Jot Powers February 2011 WHAT IM GOING TO TALK ABOUT

DNS OPERATIONAL EXPERIENCE Jot Powers February 2011 WHAT IM GOING TO TALK ABOUT Background In 2010 we moved our primary DNS out to SNS@ISC Why do you care? Its not DNSSEC yet. Details Production experience Future

288 views • 18 slides

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based

Making the Case for Elliptic Curves in DNSSEC an analysis of the impact of switching to ECC based on current DNSSEC deployments in .com, .net and .org Introduction DNSSEC deployment has taken off, but there are still operational issues

408 views • 16 slides

Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions

COBHAM Tools for Deployment of DNSSEC Russ Mundy Co-Chair DNSSEC Initiative Cobham Analytic Solutions (aka: SPARTA, Inc. ) 08 December 2010 COBHAM Simple Illustration I need to have a of DNS Components WWW record Zone Administrator

979 views • 62 slides