SlideShare una empresa de Scribd logo

ION Djibouti: KENIC DNSSEC Case Study

Descargar como PPT, PDF
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

Presentation from ION Djibouti on 2 June 2014 by Toilem Poriot Godwin. This session will explore one potential technical solution for deploying DNSSEC support within a ccTLD registry. We’ll take a quick look at DNSSEC awareness strategy, the status/progress of signed domains, and lessons learned and challenges for increasing numbers of signed domain names.

Tecnología
1 de 19
KeNIC –DNSSec Case Study 2nd June 2014 BY TOILEM PORIOT GODWIN
2 KeNIC INTRODUCTION  KeNIC is the ccTLD manager of the .ke namespace.  KeNIC is a not-for-profit organization.  KeNIC isis in the final process of Implementing DNSSec  Full Implementation expected to be complete by 12th June 2014.  KeNIC has a total of 170 registrars and a total of 36000 domains.
.KE Registry Setup  .ke Top level is not open for registration.  KE has a propagation server and a Registration server for SLD registartion.  Registry server generates zone files after domain registration and forwards domains every 30 mins to the Porpagation server  Domain details are stored in the registry server and only the zone file generated by the registry are sent to the propagation server  Domain registration has been automated to the registry via EPP and 50% of registrars are fully automated.
.ke DNSSec Delpoyment Roadmap  Interest on setting up of DNSSec in kenya started in 2010 .  DNSSec deployment was planned to start in May 2012.  Setup started in 2013 after the first DNSSec Roadshow by ICANN.  An upated DNSSec Test server was setup in June 2013.  The most challenging part was the development of .ke DNSSec Practice Statements( policy ) which determines how DNSSec will be deployed.
.ke DNSSec Delpoyment Roadmap  Phase after setting up the test server was to simulate the root servers. This would help use develop a real life chain of trust.  DNSsec Deployed on the propagation server and IANA database updated on 17th March 2014  April 17th 2014 the first ZSK key rollover fo .ke  DNSSec deployed on registry test server for SLDs on 17th April 2014  DNSSec will be deployed on Registry System 12th June 2014
DNS and DNSSec Introduction  The DNS is a critical piece of the Internet s infrastructure and makes a‟ natural target for people and organizations attempting to abuse the Internet. Threats to the DNS take many forms.  Some threats are attacks on the zone files and servers that make up the infrastructure of the DNS.  To understand DNSSEC – and what it can and cannot provide – a basic understanding of the threats to the DNS is important.  The DNS is subject to security problems in three key areas: confidentiality, integrity and availability. For the purposes of this work a loss of confidentiality is the unauthorized disclosure of or access to information. A loss of integrity is the unauthorized modification or destruction of information. And a loss of availability is the disruption of access to the underlying service.  DNSSEC is not an extension that provides tools for ensuring confidentiality or availability. Instead, its goal is to ensure integrity
Technical Solution on DNSSec Deployment Some issues that affect the DNSSec deployment had to be looked at first:  Update of Bind to a version that supports DNSSec  Update of both Registry and Propagation Server OS to OS versions that easily support applications that automate DNSSec  Key storage and management Module.  Update of the registry System  Ensure initial systems work well with the updated systems
Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system
Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system  Use of softHSM for key storage and management(this will be used for a year before migrating to HS)  Use Opendnssec for DNSSec automation.
DNSSec Uptake Strategy  Another major challenge of DNSSec after deployment is ensuring registrars and registrants use the technology  This is attributed to the cost of managing and setting up a DNSSec environment.  The biggest challenge is making a Business case for DNSSec  As a registry KeNIC iwill help create a business case for DNSSec to increase uptake of DNSSec.
Creating DNSSEc business case We can help create a business case by:  Reduce the effort(cost) for DNSSec implementation  Provide incentives to the registrars
Reduce the effort (cost) This simply means brining down the cost of DNSSec implementation. This can be achieved by:  Research and share  Simplifying DNSSec implementation for registrars  Automation  Reduce the risk of DNSSec implementation
Examples of reducing the effort For regsitrars – Developing toolkits registrars can patch into their Domains managemnet system. We have a similar thing for registrar-registry automation For registrants – Update the already automated registration process for most registrars to have a one click DNSSec. ISPs – Help them create simple DNSSec resolvers Users – Having an on/off DNSSec option enabled by default
Providing Incentives There are two possible ways KeNIC would like to accomplish this:  Make DNSSec a Requirement  Generate User demand
Make DNSSec a requirement  By contractual agreement where all registrars all obligated to support DNSSec  Any new registrar must have DNSSec resolver and knowledge on DNSSec  Collaboration with the government in ensuring government institutions deploy DNSSec.
Generate user Demand Need a reson to ”want” DNSSec. The potential reson is “Security” “Security” “Security”. Increase security:  This will only work if visible to end users  This requires education
Providing Incentives example  Target larger security conscious organisations • Lobby software developers to implement • Build DNSSEC as requirements into other applications (when it makes sense) • Find innovative uses for a secure DNS (e.g.. to supplement CAs)
 Intergration of DNSSec to our current system  DNSSec automation.  Equipments needed to run DNSSec to be in line with DNSSec best practice  Uptake of DNSSec after registry has implemented DNSSec  Lack of easily tools for registrars to deploy DNSSec in their environment. Most registrars in Kenya use WHM and Cpanel.  Organization stracture makes management of DNSSec complex Challenges on DNSSec Deployment for .ke
 DNSSec deploymenttechnically is not a hard task. The hard task is management of DNSSec and DNSSec policy developement  Registries can use softHSM if HSM is expensive. But this is not a best practice for DNSSec  There are free automation tools for DNSSec. Works well in the registry environment  Deployment of DNSSec for a registry ids not the last step. The last step is ensuring uptake of DNSSec by the end users Lessons Learned

Recomendados

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...nadeemmj
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 

Recomendados

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...nadeemmj
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKPunky Duero
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgEric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49ICANN
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Nagios 3
Nagios 3Nagios 3
Nagios 3zmoly
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Afnic
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute versionTarique_1
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...Ambassador Labs
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
 

Más contenido relacionado

La actualidad más candente

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKPunky Duero
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgEric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49ICANN
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Nagios 3
Nagios 3Nagios 3
Nagios 3zmoly
 

La actualidad más candente (9)

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
 

Similar a ION Djibouti: KENIC DNSSEC Case Study

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Afnic
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute versionTarique_1
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...Ambassador Labs
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
 
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Veritas Technologies LLC
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxsodhi3
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docxaulasnilda
 
Kentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalKentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalSeventyeight Disgital
 

Similar a ION Djibouti: KENIC DNSSEC Case Study (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute version
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docx
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
 
Kentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalKentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight Digital
 
Cl310
Cl310Cl310
Cl310
 

Más de Deploy360 Programme (Internet Society)

Más de Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

ION Djibouti: KENIC DNSSEC Case Study

  • 1. KeNIC –DNSSec Case Study 2nd June 2014 BY TOILEM PORIOT GODWIN
  • 2. 2 KeNIC INTRODUCTION  KeNIC is the ccTLD manager of the .ke namespace.  KeNIC is a not-for-profit organization.  KeNIC isis in the final process of Implementing DNSSec  Full Implementation expected to be complete by 12th June 2014.  KeNIC has a total of 170 registrars and a total of 36000 domains.
  • 3. .KE Registry Setup  .ke Top level is not open for registration.  KE has a propagation server and a Registration server for SLD registartion.  Registry server generates zone files after domain registration and forwards domains every 30 mins to the Porpagation server  Domain details are stored in the registry server and only the zone file generated by the registry are sent to the propagation server  Domain registration has been automated to the registry via EPP and 50% of registrars are fully automated.
  • 4. .ke DNSSec Delpoyment Roadmap  Interest on setting up of DNSSec in kenya started in 2010 .  DNSSec deployment was planned to start in May 2012.  Setup started in 2013 after the first DNSSec Roadshow by ICANN.  An upated DNSSec Test server was setup in June 2013.  The most challenging part was the development of .ke DNSSec Practice Statements( policy ) which determines how DNSSec will be deployed.
  • 5. .ke DNSSec Delpoyment Roadmap  Phase after setting up the test server was to simulate the root servers. This would help use develop a real life chain of trust.  DNSsec Deployed on the propagation server and IANA database updated on 17th March 2014  April 17th 2014 the first ZSK key rollover fo .ke  DNSSec deployed on registry test server for SLDs on 17th April 2014  DNSSec will be deployed on Registry System 12th June 2014
  • 6. DNS and DNSSec Introduction  The DNS is a critical piece of the Internet s infrastructure and makes a‟ natural target for people and organizations attempting to abuse the Internet. Threats to the DNS take many forms.  Some threats are attacks on the zone files and servers that make up the infrastructure of the DNS.  To understand DNSSEC – and what it can and cannot provide – a basic understanding of the threats to the DNS is important.  The DNS is subject to security problems in three key areas: confidentiality, integrity and availability. For the purposes of this work a loss of confidentiality is the unauthorized disclosure of or access to information. A loss of integrity is the unauthorized modification or destruction of information. And a loss of availability is the disruption of access to the underlying service.  DNSSEC is not an extension that provides tools for ensuring confidentiality or availability. Instead, its goal is to ensure integrity
  • 7. Technical Solution on DNSSec Deployment Some issues that affect the DNSSec deployment had to be looked at first:  Update of Bind to a version that supports DNSSec  Update of both Registry and Propagation Server OS to OS versions that easily support applications that automate DNSSec  Key storage and management Module.  Update of the registry System  Ensure initial systems work well with the updated systems
  • 8. Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system
  • 9. Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system  Use of softHSM for key storage and management(this will be used for a year before migrating to HS)  Use Opendnssec for DNSSec automation.
  • 10. DNSSec Uptake Strategy  Another major challenge of DNSSec after deployment is ensuring registrars and registrants use the technology  This is attributed to the cost of managing and setting up a DNSSec environment.  The biggest challenge is making a Business case for DNSSec  As a registry KeNIC iwill help create a business case for DNSSec to increase uptake of DNSSec.
  • 11. Creating DNSSEc business case We can help create a business case by:  Reduce the effort(cost) for DNSSec implementation  Provide incentives to the registrars
  • 12. Reduce the effort (cost) This simply means brining down the cost of DNSSec implementation. This can be achieved by:  Research and share  Simplifying DNSSec implementation for registrars  Automation  Reduce the risk of DNSSec implementation
  • 13. Examples of reducing the effort For regsitrars – Developing toolkits registrars can patch into their Domains managemnet system. We have a similar thing for registrar-registry automation For registrants – Update the already automated registration process for most registrars to have a one click DNSSec. ISPs – Help them create simple DNSSec resolvers Users – Having an on/off DNSSec option enabled by default
  • 14. Providing Incentives There are two possible ways KeNIC would like to accomplish this:  Make DNSSec a Requirement  Generate User demand
  • 15. Make DNSSec a requirement  By contractual agreement where all registrars all obligated to support DNSSec  Any new registrar must have DNSSec resolver and knowledge on DNSSec  Collaboration with the government in ensuring government institutions deploy DNSSec.
  • 16. Generate user Demand Need a reson to ”want” DNSSec. The potential reson is “Security” “Security” “Security”. Increase security:  This will only work if visible to end users  This requires education
  • 17. Providing Incentives example  Target larger security conscious organisations • Lobby software developers to implement • Build DNSSEC as requirements into other applications (when it makes sense) • Find innovative uses for a secure DNS (e.g.. to supplement CAs)
  • 18.  Intergration of DNSSec to our current system  DNSSec automation.  Equipments needed to run DNSSec to be in line with DNSSec best practice  Uptake of DNSSec after registry has implemented DNSSec  Lack of easily tools for registrars to deploy DNSSec in their environment. Most registrars in Kenya use WHM and Cpanel.  Organization stracture makes management of DNSSec complex Challenges on DNSSec Deployment for .ke
  • 19.  DNSSec deploymenttechnically is not a hard task. The hard task is management of DNSSec and DNSSec policy developement  Registries can use softHSM if HSM is expensive. But this is not a best practice for DNSSec  There are free automation tools for DNSSec. Works well in the registry environment  Deployment of DNSSec for a registry ids not the last step. The last step is ensuring uptake of DNSSec by the end users Lessons Learned