SaudiNIC's Experience in Deploying DNSSEC

SaudiNIC embarked on a comprehensive journey to deploy DNSSEC, starting with observing its growth and conducting in-depth studies on pioneer implementations worldwide. The project involved creating a startup team, drafting procedures, conducting workshops, and enabling DNSSEC on various platforms. Key activities included reviewing RFCs, establishing DNSSEC procedures, managing keys, and addressing associated risks for secure online transactions.

• SaudiNIC
• DNSSEC deployment
• Startup team
• Key management
• DNS security

pray Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16

2. The Start SaudiNIC was observing the growth of DNSSec development till it got mature. SaudiNIC staff conducted a study that consist of: What is DNSSEC? In depth study of some pioneer DNSSEC implementations: Netherland New Zealand A road map for DNSSEC deployment by SaudiNIC

3. Road Map Start of the project Creating startup team DPS draft SaudiNIC DNSSec procedures SaudiNIC DNSSec setup DNSSec workshop Building test lab Enabling DNSSec on .Alsaudiah (IDNA) Enabling DNSSec on .SA Open DNSSec for public End of the project

4. Creating DNSSEC Startup Team Read read read DNSSEC RFCs Best practices Guidelines Technical implementation Presentations and reports Continuous meetings and brainstorming sessions Test test test

5. DPS Draft Review several RFC(s) related. Review some registries DPSs: .ca Canada .au Australia .nz New Zealand .at Austria .com .cl chili etc

6. DPS Draft

7. SaudiNIC DNSSec Procedures

8. SaudiNIC DNSSec Procedures DNSSEC Keys Generation Ceremony DNSSEC Keys Installation Procedure DNSSEC Emergency Keys Installation Procedure DNSSEC New Safe Arrangement Procedure DNSSEC Safe Content Transfer Procedure

9. SaudiNIC DNSSec Setup

10. DNSSEC Credential Matrix

11. DNSSec Key Management Risks

12. Keys Setting The zone is signed using pair of keys: Key Signing Key (KSK): RSA/SHA2 Rollover every 1 year Key size is 2KB Key rollover algorithm is Double signature Zone Signing Key (ZSK): RSA/SHA2 Rollover every 6 months Key size is 2KB Key rollover algorithm is Pre-publish

13. Building a Test Lab A virtual setup identical to the actual DNSSec setup. Hands-on on DNSSec to test it out. Selection of HW/SW for DNSSec systems that meet our need. Validate key generation, signing, key rollover, etc.

14. Challenges So many documents to read and digest related to DNSSec (RFCs, best practices, etc). Rollover techniques (key rollover and algorithm rollover). So many parameters to tune them (RRSIG inception and expiration, jitter, Max/Min TTL, etc). Easy to break!

15. What is Next? Enabling DNSSec on .Alsaudiah (IDNA). Monitor and keep track on what is going on. Allow a closed access to certain clients. Monitor and keep track on what is going on. Enabling DNSSec on .SA. Monitor, Monitor, Monitor etc. Done!

16. Thank you!