Document Sample
DNSSEC Powered By Docstoc
The Registration System

 Tim Verhoeven -
 Stijn Niclaes -
                  DNS BE
• The registry for the .be ccTLD (country code
  Top Level Domain)
• A Non-profit organization
• Currently 1.000.000+ domains registered
• Domains are registered through agents, not
  directly with us
• Basics
• Standards
• DNS BE Specifics
  – Keygroups
  – Validation
• Transfers
• Examples
• DNSSEC in the registration system is
  implemented as a add-on
• It is not required if the domain is not signed
  with DNSSEC
• No changes to your interfaces are needed if
  DNSSEC is not used
• Use our interface to submit the public keys
  needed to create the “chain-of-trust”
• You give us the public key, we publish it's DS
• All changes are according to the relevant
  RFC's :
     • RFC 4033 : DNSSEC, Introduction and Requirements.
     • RFC 4034 : DNSSEC, Resource records.
     • RFC 4035 : DNSSEC, Protocol modifications.
     • RFC 4641 : DNSSEC, Operational best practices.
     • RFC 5155 : DNSSEC, NSEC3.
     • RFC 5702 : DNSSEC, SHA2.
     • RFC 5910 : DNSSEC & EPP.

• RFC 5910 is the most important one : EPP
• One DNS BE specific change :
  keygroups (but not required)
                  RFC 5910
• Extension to EPP : secDNS-1.1
• 2 methods to submit key information :
  – DS information (just the DS record)
  – Keydata information (the complete public key)
• DNS BE only supports keydata information
           DNS BE Specifics
• Keygroups (like nsgroups)
• Only accepts RSA/SHA2 family type keys
• Only accepts KSK's
• Validation of the keydata (according to RFC
• Notifications of the validation process
• Max. 4 keys per domain
• Allow the grouping of keys and reuse them for
  multiple domains (like nsgroups)
• When using key sharing allow for easier key-
  – Only update keygroup, not every domain
• Only one keygroup per domain
• Max. 4 keys per keygroup
• The name of the keygroup has to be unique
• Using both keys and a keygroup
  isn't allowed
• After adding keys to a domain the system will
  check if the nameservers attached to the
  zone have the added keys and if they have a
  valid signature
• Only after a successful validation the DS
  records will appear in the .be zone
• Once a domain is secure, updates to NS or DS
  records will only be done after the validation
• The check is done in the background
  – Commands will not wait for its completion
• The check will be done maximum 5 times
  (with increasing intervals)
  – Do an empty update to retrigger
• Status can be found in the Registrar web
  interface or in EPP using
• Transfer of a secured zone between registrars
  can become more complicated
  – No change if DNS is managed by client or other 3th
  – If DNS managed by registrar 3 scenarios are
    possible :
     • Old registrar passes keys (and signed zonefile) to new
     • New registrar gets unsigned zone and signs it with his own
     • Zone temporarely goes unsecured
Keys from old registrar to new
• Cooperation between registrars is required :
  – Old registrar give the keys and the signed zonefile
    to the new registrar
  – New registrar load these into his nameservers
  – The domain is transferred, the keys don't change
• Reduced chance of issues during or after
• No changes for the outside world
• The keys (including private) need to be
  transferred securely
• Preferred method !
     New registrar, new keys
• New registrar only needs to obtain the
  unsigned zone and sign it with his own keys
  on his own nameservers
• Transfer of the domain is done with the new
  keys of the new agent
• Outside world sees new keys and signatures
• Old registrar still needs to keep the zone
  active untill TTL of the old records expire
• More chance for issues
           Unsecure transfer
• The zone gets unsecured during the transfer
  – If possible, the old registrar unsecures the zone
  – New registrar adds unsecure zone to his
  – Transfer is initiated with no keys
  – New registrar sign zone with new keys and adds
    those key to the registry
• Possible issues with DNSSEC capable
  resolvers (caching of old records)
• Could mean zone is unreachable
Web: New domain
Web: Domain info
Web: Validation status

Shared By: