ION Toronto, 11 November 2013: CIRA has completed two phases of a three-phased approach to implement DNSSEC on the .CA country code Top Level Domain (ccTLD). First, they released a DNSSEC Practice Statement for comment, providing an operational outline of how CIRA plans to develop, maintain and manage DNSSEC deployment for .CA. Next, they held a key signing ceremony where they generated the cryptographic digital key that is used to secure the .CA zone. On January 21, 2013, CIRA published a signed .CA zone file, and on January 23, the .CA DS record was submitted to the Internet Assigned Numbers Authority (IANA). The next phase of CIRA’s work in implementing DNSSEC is to make the necessary upgrades to ready the registry system for transacting DNSSEC-enabled .CA domain names. This work is expected to be complete in 2014. Once complete, CIRA will be able to register DNSSEC-enabled .CA domain names. This session will explore CIRA’s technical solution for deploying DNSSEC support in the .CA registry. With our goal of making it easier for registrars, registrants and DNS operator to support any combination of DS and DNSKEY registration. We will take a quick look at our DNSSEC awareness strategy, the status/progress of .CA signed domains, and our lessons learned and challenges for increasing numbers of signed domain names.

1. Deploying DNSSEC:
A .CA Case Study
Canadian Internet Registration Authority (CIRA)
Jacques Latour
ION - Toronto
November 14, 2011
1
ION - Toronto - 2011-11-14

2. About CIRA
1. Operate the .CA Top Level Domain Registry
 Registrant  Registrar  Registry  .CA DNS
2. Operate the .CA Top Level Domain DNS
 Root “.”  “.CA”  2nd Level .CA domains
 Internet Users  ISP  “.CA”
3. Do good things for the Canadian Internet

2
Promote IXP development, adoption of IPv6 and DNSSEC
ION - Toronto - 2011-11-14

3. DNSSEC @ .CA
DNSSEC is a multi phase project
• Phase 1 – Sign .CA (completed January 2013)
– Dual in-line signer – works great!
• Phase 2 – Implement DNSSEC support in the .CA
registry
– Current work in progress, planned for March 2014
• Phase 3 – Promote adoption of DNSSEC in Canada
– .CA registrars, Internet service providers, enterprises
– April 2014 and on-going
3
ION - Toronto - 2011-11-14

4. DNSSEC Signer & Validation
2.0/8.0 – DNSSEC Signer & Verification (Step 2)
• Dual online signer sets
located in different locations
– Sign with Bind & OpenDNSSEC
– Signed zone file validation
– DR site always up to date
[2.0] SIGNER - PRD
2.1
1-C (sticky)
2.5
DNSSEC Signer (ODS)
1-D
(backup)
2.1-a
Level 2 Validator
2.1-c
HSM
2.3
2.1-b
2-a
2.2-c
HSM
2.4
DNSSEC Signer (Bind)
• Resilient solution
2.2-b
Level 2 Validator
2.2-a
2.2
– 9 months in production
– 8 ZSK rollover
2-a
2-b
2.6
[8.0] SIGNER - BAK
8.1
8.5
DNSSEC Signer (ODS)
8.1-a
Level 2 Validator
8-a
8.1-c
HSM
8.3
• 78 signed domains
8.2-c
HSM
8.4
DNSSEC Signer (Bind)
8.2
4
ION - Toronto - 2011-11-14
8.1-b
8.2-b
8.2-a
Level 2 Validator
8.6
8-b

5. DNSSEC in the .CA Registry
• Primary objectives:
Keep it simple for Registrars to work with .CA
5
ION - Toronto - 2011-11-14

6. Signing a 2nd Level Domain
• DNS Operator is the entity operating the DNS server and
generating DNSSEC material
• In some instances, the DNS Operator is;
– The Registrant when they operate their own DNS
– The Registrar when offering services like hosted web services
– The DNS service provider offering outsourced DNS services
6
ION - Toronto - 2011-11-14

7. Signing a 2nd Level Domain
• DNS Operator is the entity operating the DNS server and
generating DNSSEC material, a DNSKEY and/or DS record.
viagenie.ca.
3556 IN
DNSKEY 257 3 5 (
AwEAAaejF8WJSwiUBCvpxrVrD40O9xIKy0GGUs0pvcAE
2T8b2EsbmTnizimWygZ/BE0kCVViOVfW8JaxmwYwBPAD
DuG2G23yHUJgfelW+7jM1L23VuqNc+It4z8fHse/g4sn
NcZ/fjpSLAF0KMO95cUUzFKU6GTeFm+ebpxBvjQ+x21p
TMJ8DWMAjbNRsaBS6yK2DVR3tQFkf9TrF7Rd4NiARG2n
xkQ09JXS3+cv/kofRnxesV7unAc0nnw1aoeLDgGEj9+k
u8Fu86hVGFq6HBgP+zrQCnTyspYk+d5OjQAzIPtB4G+X
aWh/ZLfLwo9b7RFUT4c5fSxZLHYotHspCasS8gM=
) ; key id = 20878
viagenie.ca.
86400 IN
DS 20878 5 1 (
7649DF86DCA9B6B234CBEB3C11E6F7CC38A0B6AA )
7
DS goes in parent zone (.ca)
ION - Toronto - 2011-11-14

8. DNSSEC in the .CA Registry
• Accepting DNSSEC material
from Registrants via the
Registrars into the registry
for inclusion in .CA zone file
• EPP extensions for DNSSEC
are defined in RFC5910.
• Available March 2014
8
ION - Toronto - 2011-11-14

9. CIRA’s Implementation of DNSSEC
RFC5910 Support DNSKEY and DS Interface
There are two different forms of interfaces that a server can support.
The first is called the "DS Data Interface",
where the client is responsible for the creation of
the DS information …
The second is the "Key Data Interface,“
where the client is responsible for passing the key data
information …
CIRA
• Support DS interface
• Support DNSKEY interface
• Support DS and DNSKEY
9
ION - Toronto - 2011-11-14

10. Some DNSSEC Parameters
(reference only)
• secDNS-1.1.xsd – RFC-5910
• Store a maximum of 6 DS and/or DNSKEY
• Support of all 11 algorithms identified as valid Zone Signing
algorithms (DSA, RSA, GOST, ECDSA, etc…)
• Support of 4 algorithms when accepting DS data records (SHA1/256/384, GOST R 34.11-94)
• When CIRA is given a DNSKEY record and generates the DS
record, digest algorithm SHA-1 will be used.
• Optional <secDNS:maxSigLife> element will NOT be supported
• Optional attribute urgent will NOT be supported.
• Whois will show the DNSSEC status (signed/unsigned)
10
ION - Toronto - 2011-11-14

11. DNSSEC Validation @ ISP
• What is recursive DNSSEC validation?
– The caching recursive name servers validates the
DNSSEC signatures received for an answer with
the domain’s DNSKEY keys. (and more)
•
11
http://www.surfnet.nl/Documents/rapport_Deploying_DNSSEC_v20.pdf
ION - Toronto - 2011-11-14

12. DNSSEC Enabled DNS Query
(Highly simplified )
DNSSEC
All DNSSEC enabled responses include
DNSSEC signatures, that must
be validated against the DNSKEY
“.”
ROOT
Authoritative
Servers
DNSSEC Enabled
Recursive Servers
Cache Results
(ISPs)
“.ca”
TLDs
Internet
User
Authoritative
Servers
“cira.ca”
End-user
application
becoming DNSSEC
Aware
12
DNS Operators
Connect to 2001:500:80:2::12
192.228.29.1
ION - Toronto - 2011-11-14
Web Server
www.cira.ca

13. DNSSEC Validation @ ISP
To enable DNSSEC validation at an ISP:
• Ensure the DNS software on your caching
recursive servers supports DNSSEC
– Bind version 9.7 and up
– Unbound version 1.4 and up
– Microsoft DNS on Windows Server 2012 and up
– Many other open source and commercial versions
13
ION - Toronto - 2011-11-14

14. DNSSEC Requirements @ ISP
• Ensure that you’re running a recent/decent
recursive DNS infrastructure
– DNSSEC relies on public key cryptography
– Did not find any research specifying exact
hardware sizing requirements
• Hardware
• Bandwidth
• Comcast: IPv6 and DNSSEC, ~10% increase in
rDNS usage
14
ION - Toronto - 2011-11-14

15. DNSSEC Requirements @ ISP
• May need to upgrade software / hardware to
support validation
• Need to support large UDP DNS responses up
to 4K, UDP fragments
• Need to support DNS over TCP
• Configure your recursive with the IANA trust
anchor
• Negative trust anchor for broken sites
(temporary measures)
15
ION - Toronto - 2011-11-14

16. Questions
• If you want our DNSSEC Registrar
specifications document, let me know, 40
pages of good stuff.
• Please contact us @ CIRA if you have any
questions
cira-dnssec@cira.ca
16
ION - Toronto - 2011-11-14