Embed Size (px)
DESCRIPTION
ION Toronto, 11 November 2013: CIRA has completed two phases of a three-phased approach to implement DNSSEC on the .CA country code Top Level Domain (ccTLD). First, they released a DNSSEC Practice Statement for comment, providing an operational outline of how CIRA plans to develop, maintain and manage DNSSEC deployment for .CA. Next, they held a key signing ceremony where they generated the cryptographic digital key that is used to secure the .CA zone. On January 21, 2013, CIRA published a signed .CA zone file, and on January 23, the .CA DS record was submitted to the Internet Assigned Numbers Authority (IANA). The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names. This work is expected to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names. This session will explore CIRA’s technical solution for deploying DNSSEC support in the .CA registry. With our goal of making it easier for registrars, registrants and DNS operator to support any combination of DS and DNSKEY registration. We will take a quick look at our DNSSEC awareness strategy, the status/progress of .CA signed domains, and our lessons learned and challenges for increasing numbers of signed domain names.
Citation preview
Deploying DNSSEC: A .CA Case Study
Canadian Internet Registration Authority (CIRA)
Jacques Latour
ION - Toronto
November 14, 2011
1 ION - Toronto - 2011-11-14
About CIRA
1. Operate the .CA Top Level Domain Registry
Registrant Registrar Registry .CA DNS
2. Operate the .CA Top Level Domain DNS
Root “.” “.CA” 2nd Level .CA domains
Internet Users ISP “.CA”
3. Do good things for the Canadian Internet Promote IXP development, adoption of IPv6 and DNSSEC
ION - Toronto - 2011-11-14 2
DNSSEC @ .CA
DNSSEC is a multi phase project
• Phase 1 – Sign .CA (completed January 2013) – Dual in-line signer – works great!
• Phase 2 – Implement DNSSEC support in the .CA registry – Current work in progress, planned for March 2014
• Phase 3 – Promote adoption of DNSSEC in Canada – .CA registrars, Internet service providers, enterprises – April 2014 and on-going
ION - Toronto - 2011-11-14 3
DNSSEC Signer & Validation
• Dual online signer sets located in different locations – Sign with Bind & OpenDNSSEC
– Signed zone file validation
– DR site always up to date
• Resilient solution – 9 months in production
– 8 ZSK rollover
• 78 signed domains
2.0/8.0 – DNSSEC Signer & Verification (Step 2)
1-D(backup)
1-C (sticky)2-a
2-b
8-a
8-b
HSM8.3
8.1-a
HSM8.4
8.2-a
8.2-b
8.1-b8.1-c
8.2-c
[8.0] SIGNER - BAK
Level 2 Validator
Level 2 Validator
8.5
8.6
DNSSEC Signer (ODS)
DNSSEC Signer (Bind)
8.2
8.1
HSM2.3
2.1-a
HSM2.4
2.2-a
2.2-b
2.1-b2.1-c
2.2-c
[2.0] SIGNER - PRD
Level 2 Validator
Level 2 Validator
2.5
2.6
DNSSEC Signer (ODS)
DNSSEC Signer (Bind)
2.2
2.1
2-a
ION - Toronto - 2011-11-14 4
DNSSEC in the .CA Registry
• Primary objectives:
Keep it simple for Registrars to work with .CA
ION - Toronto - 2011-11-14 5
Signing a 2nd Level Domain
• DNS Operator is the entity operating the DNS server and generating DNSSEC material
• In some instances, the DNS Operator is; – The Registrant when they operate their own DNS
– The Registrar when offering services like hosted web services
– The DNS service provider offering outsourced DNS services
6 ION - Toronto - 2011-11-14
Signing a 2nd Level Domain
• DNS Operator is the entity operating the DNS server and generating DNSSEC material, a DNSKEY and/or DS record.
7
viagenie.ca. 3556 IN DNSKEY 257 3 5 (
AwEAAaejF8WJSwiUBCvpxrVrD40O9xIKy0GGUs0pvcAE
2T8b2EsbmTnizimWygZ/BE0kCVViOVfW8JaxmwYwBPAD
DuG2G23yHUJgfelW+7jM1L23VuqNc+It4z8fHse/g4sn
NcZ/fjpSLAF0KMO95cUUzFKU6GTeFm+ebpxBvjQ+x21p
TMJ8DWMAjbNRsaBS6yK2DVR3tQFkf9TrF7Rd4NiARG2n
xkQ09JXS3+cv/kofRnxesV7unAc0nnw1aoeLDgGEj9+k
u8Fu86hVGFq6HBgP+zrQCnTyspYk+d5OjQAzIPtB4G+X
aWh/ZLfLwo9b7RFUT4c5fSxZLHYotHspCasS8gM=
) ; key id = 20878
viagenie.ca. 86400 IN DS 20878 5 1 (
7649DF86DCA9B6B234CBEB3C11E6F7CC38A0B6AA )
DS goes in parent zone (.ca) ION - Toronto - 2011-11-14
DNSSEC in the .CA Registry
• Accepting DNSSEC material from Registrants via the Registrars into the registry for inclusion in .CA zone file
• EPP extensions for DNSSEC are defined in RFC5910.
• Available March 2014
8 ION - Toronto - 2011-11-14
CIRA’s Implementation of DNSSEC
9
CIRA
• Support DS interface
• Support DNSKEY interface
• Support DS and DNSKEY
RFC5910 Support DNSKEY and DS Interface
There are two different forms of interfaces that a server can support.
The first is called the "DS Data Interface",
where the client is responsible for the creation of
the DS information …
The second is the "Key Data Interface,“
where the client is responsible for passing the key data
information …
ION - Toronto - 2011-11-14
Some DNSSEC Parameters (reference only)
• secDNS-1.1.xsd – RFC-5910
• Store a maximum of 6 DS and/or DNSKEY
• Support of all 11 algorithms identified as valid Zone Signing algorithms (DSA, RSA, GOST, ECDSA, etc…)
• Support of 4 algorithms when accepting DS data records (SHA-1/256/384, GOST R 34.11-94)
• When CIRA is given a DNSKEY record and generates the DS record, digest algorithm SHA-1 will be used.
• Optional <secDNS:maxSigLife> element will NOT be supported
• Optional attribute urgent will NOT be supported.
• Whois will show the DNSSEC status (signed/unsigned)
ION - Toronto - 2011-11-14 10
DNSSEC Validation @ ISP
• What is recursive DNSSEC validation?
– The caching recursive name servers validates the DNSSEC signatures received for an answer with the domain’s DNSKEY keys. (and more)
• http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf
ION - Toronto - 2011-11-14 11
DNSSEC Enabled DNS Query (Highly simplified )
Authoritative Servers
Web Server www.cira.ca
“.” ROOT
“.ca” TLDs
“cira.ca” DNS Operators Connect to 2001:500:80:2::12
192.228.29.1
Internet User
DNSSEC
End-user application
becoming DNSSEC Aware
Authoritative Servers
DNSSEC Enabled Recursive Servers
Cache Results (ISPs)
All DNSSEC enabled responses include DNSSEC signatures, that must
be validated against the DNSKEY
ION - Toronto - 2011-11-14 12
DNSSEC Validation @ ISP
To enable DNSSEC validation at an ISP:
• Ensure the DNS software on your caching recursive servers supports DNSSEC
– Bind version 9.7 and up
– Unbound version 1.4 and up
– Microsoft DNS on Windows Server 2012 and up
– Many other open source and commercial versions
ION - Toronto - 2011-11-14 13
DNSSEC Requirements @ ISP
• Ensure that you’re running a recent/decent recursive DNS infrastructure
– DNSSEC relies on public key cryptography
– Did not find any research specifying exact hardware sizing requirements
• Hardware
• Bandwidth
• Comcast: IPv6 and DNSSEC, ~10% increase in
rDNS usage
ION - Toronto - 2011-11-14 14
DNSSEC Requirements @ ISP
• May need to upgrade software / hardware to support validation
• Need to support large UDP DNS responses up to 4K, UDP fragments
• Need to support DNS over TCP
• Configure your recursive with the IANA trust anchor
• Negative trust anchor for broken sites (temporary measures)
ION - Toronto - 2011-11-14 15
Questions
• If you want our DNSSEC Registrar specifications document, let me know, 40 pages of good stuff.
• Please contact us @ CIRA if you have any questions
ION - Toronto - 2011-11-14 16
