Evolution of DNSSEC Implementation at Nominet
This content details the evolution of DNSSEC implementation at Nominet, covering key milestones from initial infrastructure deployment in 2008 to the adoption of a new approach in 2016. It discusses the challenges faced, technology used over the years, and the transition to a new DNSSEC approach in 2016 focused on security and efficiency. The journey reflects the continuous improvement and adaptation in securing the DNS infrastructure.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
How we made DNSSEC simple(r) 09.04.19 Brett Carr
DNSSEC primer Public keys published in zone. Private keys need to be protected. Rapidly updated zones need constant signing. If signing breaks updates stop. Classed as a critical top tier service. 2
DNSSEC at Nominet A potted history 2008 initial infrastructure deployment 2009 we first signed .uk 2011 we had a small issue 2013 changed infrastructure 2014 we started signing gtlds 2016 Changed infrastructure 3
DNSSEC Tech used 2009 Sun SCA6000 HSM and Centos 5 opendnssec signing automation Sites in Oxford and Kent Unreliable Failure caused 2011 Issue Taken over by Oracle Price Hike Support split between two companies 4
DNSSEC Tech used 2013 Thales HSM Network based Opendnssec signing automation Sites in Slough and West London Reliable but Complex and difficult to support. Support split between two companies 5
2016- New DNSSEC No HSM All signing is done on a geographically replicated VM with BIND. Supported by one company (ISC) Private Keys on encrypted partition protected by a split password. Split password intervention needed at boot. Access to machine is XFR and console only. (no ssh) Console login protected by split password. All changes done by engineer and monitored by a security officer. 6