SlideShare una empresa de Scribd logo

ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI

Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

- The document discusses the past, current, and future status of DNSSEC implementation in the .si top-level domain. It notes that .si was signed in late 2011 but that full deployment is still far off due to low DNSSEC awareness and concerns about additional administration needs. Future plans include improving registry support, educating resolver operators and internet users, and incentivizing the signing of .si domains.

1 de 8
Descargar para leer sin conexión
DNSSEC  in  .si   Where  we  are   Benjamin Zwittnig Arnes, Register.si Benjamin.zwittnig@register.si
Agenda •  Past actions •  Current status •  Future plans •  Conclusion
Past actions •  Recursive DNS servers - Turned on validation in 2010 - Monitoring traffic, anomalies, increase of TCP... •  Authoritative zone(s) •  Prepare for signing .si - A lot of testing - HSM modules - Different rollover scenarios - Traffic - A lot of documentation
Current status •  At the end of 2011 - .si was signed - DS records were published in root zone •  No problems with signing procedures •  DNSSEC provisioning in the registry sistem is not ready yet •  DS records for .si domains - cca 20 .si domains have DS records in .si - No real interest
Current status •  Resolver operators - On 7th place acording to a RIPE report •  Government shows some interest in DNSSEC - Validation on their recursive resolvers - Signing of their domains later
Current status •  Knowledge about DNSSEC is quite low •  Afraid of technology •  No more zero time administration - Regular key rollovers - Difficult debugging - No immediate benefit from DNSSEC •  Chicken and egg problem
Future plans •  Adapt our registry software to support DNSSEC •  Offer an optional DNSSEC signing service for our customers (as NREN) •  Convince resolver operators to turn on validation •  DNSSEC workshops for all interested parties •  Marketing of DNSSEC •  Discounts for DNSSEC signed domains ?
Conclusion •  Although we have signed .si, we are still far from a full deployment •  Some new problems - Transfer of DNSSEC signed domains - DDoS amplification attacks •  For a real spin off we need - Good DNSSEC awareness among internet users - Critical mass - A good application/service which uses benefits of DNSSEC (maybe DANE)

Recomendados

PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w Polsce
PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w PolscePLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w Polsce
PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w PolscePROIDEA
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AISDC
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]APNIC
 
ION Ljubljana - Aaron Hughes: Best Current Operational Practices
ION Ljubljana - Aaron Hughes: Best Current Operational PracticesION Ljubljana - Aaron Hughes: Best Current Operational Practices
ION Ljubljana - Aaron Hughes: Best Current Operational PracticesDeploy360 Programme (Internet Society)
 
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...Deploy360 Programme (Internet Society)
 
World IPv6 Day Recap (ION Toronto 2011)
World IPv6 Day Recap (ION Toronto 2011) World IPv6 Day Recap (ION Toronto 2011)
World IPv6 Day Recap (ION Toronto 2011) Deploy360 Programme (Internet Society)
 

Recomendados

PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w Polsce
PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w PolscePLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w Polsce
PLNOG 3: Kamil Grabowski - Jak stworzyc skuteczne NOC w PolscePROIDEA
 
ION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryION Sri Lanka - DNSSEC at LK Domain Registry
ION Sri Lanka - DNSSEC at LK Domain RegistryDeploy360 Programme (Internet Society)
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AIS e-High Availability (e-HA)
AIS e-High Availability (e-HA)AISDC
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]APNIC
 
ION Ljubljana - Aaron Hughes: Best Current Operational Practices
ION Ljubljana - Aaron Hughes: Best Current Operational PracticesION Ljubljana - Aaron Hughes: Best Current Operational Practices
ION Ljubljana - Aaron Hughes: Best Current Operational PracticesDeploy360 Programme (Internet Society)
 
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...
Challenges and Opportunities in Deploying IPv6, DNSSEC, and Other Key Technol...Deploy360 Programme (Internet Society)
 
World IPv6 Day Recap (ION Toronto 2011)
World IPv6 Day Recap (ION Toronto 2011) World IPv6 Day Recap (ION Toronto 2011)
World IPv6 Day Recap (ION Toronto 2011) Deploy360 Programme (Internet Society)
 
ION Sao Paulo - Jiri Prusa: Policies and IPv6
ION Sao Paulo - Jiri Prusa: Policies and IPv6ION Sao Paulo - Jiri Prusa: Policies and IPv6
ION Sao Paulo - Jiri Prusa: Policies and IPv6Deploy360 Programme (Internet Society)
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECDeploy360 Programme (Internet Society)
 
ION Belfast - Opening Slides - Chris Grundemann
ION Belfast - Opening Slides - Chris GrundemannION Belfast - Opening Slides - Chris Grundemann
ION Belfast - Opening Slides - Chris GrundemannDeploy360 Programme (Internet Society)
 
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?Stichting Interdisciplinaire Werkgroep Osteoporose
 
Развитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов втоРазвитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов втоWTCMoscow
 
Moderne behandeling osteoporose
Moderne behandeling osteoporoseModerne behandeling osteoporose
Moderne behandeling osteoporoseStichting Interdisciplinaire Werkgroep Osteoporose
 
K 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursaK 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursarickoputra31
 
Program Logic Models
Program Logic Models Program Logic Models
Program Logic Models Kuhonga
 
Portfelio
PortfelioPortfelio
PortfelioWonderwall Agency
 
From Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind RiverFrom Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind RiverVisure Solutions
 
действия часть 1 фраза
действия часть 1 фразадействия часть 1 фраза
действия часть 1 фразаНаталья Кулакова
 
ファイナンシャル・エクストラネット
ファイナンシャル・エクストラネットファイナンシャル・エクストラネット
ファイナンシャル・エクストラネットKVH Co. Ltd.
 
портфелио
портфелиопортфелио
портфелиоWonderwall Agency
 
3832 jackson-history
3832 jackson-history3832 jackson-history
3832 jackson-historyAccion America
 
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12Mfuse Limited
 
Materi pak dangkua
Materi pak dangkuaMateri pak dangkua
Materi pak dangkuahamidu0999
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? Deploy360 Programme (Internet Society)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 

Más contenido relacionado

Destacado

Развитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов втоРазвитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов втоWTCMoscow
 
K 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursaK 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursarickoputra31
 
Program Logic Models
Program Logic Models Program Logic Models
Program Logic Models Kuhonga
 
From Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind RiverFrom Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind RiverVisure Solutions
 
ファイナンシャル・エクストラネット
ファイナンシャル・エクストラネットファイナンシャル・エクストラネット
ファイナンシャル・エクストラネットKVH Co. Ltd.
 
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12Mfuse Limited
 
Materi pak dangkua
Materi pak dangkuaMateri pak dangkua
Materi pak dangkuahamidu0999
 

Destacado (16)

ION Sao Paulo - Jiri Prusa: Policies and IPv6
ION Sao Paulo - Jiri Prusa: Policies and IPv6ION Sao Paulo - Jiri Prusa: Policies and IPv6
ION Sao Paulo - Jiri Prusa: Policies and IPv6
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
ION Belfast - Opening Slides - Chris Grundemann
ION Belfast - Opening Slides - Chris GrundemannION Belfast - Opening Slides - Chris Grundemann
ION Belfast - Opening Slides - Chris Grundemann
 
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?
Vertebro/kyfoplastiek: bewezen effectief of (nog) niet bewezen effectief?
 
Развитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов втоРазвитие международной торговли на базе принципов вто
Развитие международной торговли на базе принципов вто
 
Moderne behandeling osteoporose
Moderne behandeling osteoporoseModerne behandeling osteoporose
Moderne behandeling osteoporose
 
K 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursaK 3-a=ricko,rudy mei, ursa
K 3-a=ricko,rudy mei, ursa
 
Program Logic Models
Program Logic Models Program Logic Models
Program Logic Models
 
Portfelio
PortfelioPortfelio
Portfelio
 
From Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind RiverFrom Requirements to high quality deliverables - Visure Solutions & Wind River
From Requirements to high quality deliverables - Visure Solutions & Wind River
 
действия часть 1 фраза
действия часть 1 фразадействия часть 1 фраза
действия часть 1 фраза
 
ファイナンシャル・エクストラネット
ファイナンシャル・エクストラネットファイナンシャル・エクストラネット
ファイナンシャル・エクストラネット
 
портфелио
портфелиопортфелио
портфелио
 
3832 jackson-history
3832 jackson-history3832 jackson-history
3832 jackson-history
 
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
Mfuse - The Native vs HTML5 Debate - Whitepaper - Nov 12
 
Materi pak dangkua
Materi pak dangkuaMateri pak dangkua
Materi pak dangkua
 

Similar a ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI

NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and SecurityAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
IPv6 Summit Powerpoint
IPv6 Summit PowerpointIPv6 Summit Powerpoint
IPv6 Summit PowerpointTim Price
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Responsepm123008
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
VoIP Monitoring and Troubleshooting
VoIP Monitoring and TroubleshootingVoIP Monitoring and Troubleshooting
VoIP Monitoring and TroubleshootingThousandEyes
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 

Similar a ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI (20)

ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC? ION Toronto - Why Implement DNSSEC?
ION Toronto - Why Implement DNSSEC?
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Honeypots and Security
Honeypots and SecurityHoneypots and Security
Honeypots and Security
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
IPv6 Summit Powerpoint
IPv6 Summit PowerpointIPv6 Summit Powerpoint
IPv6 Summit Powerpoint
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and ResponseDNS in IR: Collection, Analysis and Response
DNS in IR: Collection, Analysis and Response
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
VoIP Monitoring and Troubleshooting
VoIP Monitoring and TroubleshootingVoIP Monitoring and Troubleshooting
VoIP Monitoring and Troubleshooting
 
ION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim GalvinION Belfast - Why Implement DNSSEC? - Jim Galvin
ION Belfast - Why Implement DNSSEC? - Jim Galvin
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 

Más de Deploy360 Programme (Internet Society)

Más de Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

ION Ljubljana - Benjamin Zwittnig: DNSSEC in .SI

  • 1. DNSSEC  in  .si   Where  we  are   Benjamin Zwittnig Arnes, Register.si Benjamin.zwittnig@register.si
  • 2. Agenda •  Past actions •  Current status •  Future plans •  Conclusion
  • 3. Past actions •  Recursive DNS servers - Turned on validation in 2010 - Monitoring traffic, anomalies, increase of TCP... •  Authoritative zone(s) •  Prepare for signing .si - A lot of testing - HSM modules - Different rollover scenarios - Traffic - A lot of documentation
  • 4. Current status •  At the end of 2011 - .si was signed - DS records were published in root zone •  No problems with signing procedures •  DNSSEC provisioning in the registry sistem is not ready yet •  DS records for .si domains - cca 20 .si domains have DS records in .si - No real interest
  • 5. Current status •  Resolver operators - On 7th place acording to a RIPE report •  Government shows some interest in DNSSEC - Validation on their recursive resolvers - Signing of their domains later
  • 6. Current status •  Knowledge about DNSSEC is quite low •  Afraid of technology •  No more zero time administration - Regular key rollovers - Difficult debugging - No immediate benefit from DNSSEC •  Chicken and egg problem
  • 7. Future plans •  Adapt our registry software to support DNSSEC •  Offer an optional DNSSEC signing service for our customers (as NREN) •  Convince resolver operators to turn on validation •  DNSSEC workshops for all interested parties •  Marketing of DNSSEC •  Discounts for DNSSEC signed domains ?
  • 8. Conclusion •  Although we have signed .si, we are still far from a full deployment •  Some new problems - Transfer of DNSSEC signed domains - DDoS amplification attacks •  For a real spin off we need - Good DNSSEC awareness among internet users - Critical mass - A good application/service which uses benefits of DNSSEC (maybe DANE)