SlideShare ist ein Scribd-Unternehmen logo

KeNIC DNSSec Case Study

Als PPT, PDF herunterladen
Deploy360 Programme (Internet Society)
Deploy360 Programme (Internet Society)

Presentation from ION Djibouti on 2 June 2014 by Toilem Poriot Godwin. This session will explore one potential technical solution for deploying DNSSEC support within a ccTLD registry. We’ll take a quick look at DNSSEC awareness strategy, the status/progress of signed domains, and lessons learned and challenges for increasing numbers of signed domain names.

Technologie
1 von 19
KeNIC –DNSSec Case Study 2nd June 2014 BY TOILEM PORIOT GODWIN
2 KeNIC INTRODUCTION  KeNIC is the ccTLD manager of the .ke namespace.  KeNIC is a not-for-profit organization.  KeNIC isis in the final process of Implementing DNSSec  Full Implementation expected to be complete by 12th June 2014.  KeNIC has a total of 170 registrars and a total of 36000 domains.
.KE Registry Setup  .ke Top level is not open for registration.  KE has a propagation server and a Registration server for SLD registartion.  Registry server generates zone files after domain registration and forwards domains every 30 mins to the Porpagation server  Domain details are stored in the registry server and only the zone file generated by the registry are sent to the propagation server  Domain registration has been automated to the registry via EPP and 50% of registrars are fully automated.
.ke DNSSec Delpoyment Roadmap  Interest on setting up of DNSSec in kenya started in 2010 .  DNSSec deployment was planned to start in May 2012.  Setup started in 2013 after the first DNSSec Roadshow by ICANN.  An upated DNSSec Test server was setup in June 2013.  The most challenging part was the development of .ke DNSSec Practice Statements( policy ) which determines how DNSSec will be deployed.
.ke DNSSec Delpoyment Roadmap  Phase after setting up the test server was to simulate the root servers. This would help use develop a real life chain of trust.  DNSsec Deployed on the propagation server and IANA database updated on 17th March 2014  April 17th 2014 the first ZSK key rollover fo .ke  DNSSec deployed on registry test server for SLDs on 17th April 2014  DNSSec will be deployed on Registry System 12th June 2014
DNS and DNSSec Introduction  The DNS is a critical piece of the Internet s infrastructure and makes a‟ natural target for people and organizations attempting to abuse the Internet. Threats to the DNS take many forms.  Some threats are attacks on the zone files and servers that make up the infrastructure of the DNS.  To understand DNSSEC – and what it can and cannot provide – a basic understanding of the threats to the DNS is important.  The DNS is subject to security problems in three key areas: confidentiality, integrity and availability. For the purposes of this work a loss of confidentiality is the unauthorized disclosure of or access to information. A loss of integrity is the unauthorized modification or destruction of information. And a loss of availability is the disruption of access to the underlying service.  DNSSEC is not an extension that provides tools for ensuring confidentiality or availability. Instead, its goal is to ensure integrity
Technical Solution on DNSSec Deployment Some issues that affect the DNSSec deployment had to be looked at first:  Update of Bind to a version that supports DNSSec  Update of both Registry and Propagation Server OS to OS versions that easily support applications that automate DNSSec  Key storage and management Module.  Update of the registry System  Ensure initial systems work well with the updated systems
Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system
Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system  Use of softHSM for key storage and management(this will be used for a year before migrating to HS)  Use Opendnssec for DNSSec automation.
DNSSec Uptake Strategy  Another major challenge of DNSSec after deployment is ensuring registrars and registrants use the technology  This is attributed to the cost of managing and setting up a DNSSec environment.  The biggest challenge is making a Business case for DNSSec  As a registry KeNIC iwill help create a business case for DNSSec to increase uptake of DNSSec.
Creating DNSSEc business case We can help create a business case by:  Reduce the effort(cost) for DNSSec implementation  Provide incentives to the registrars
Reduce the effort (cost) This simply means brining down the cost of DNSSec implementation. This can be achieved by:  Research and share  Simplifying DNSSec implementation for registrars  Automation  Reduce the risk of DNSSec implementation
Examples of reducing the effort For regsitrars – Developing toolkits registrars can patch into their Domains managemnet system. We have a similar thing for registrar-registry automation For registrants – Update the already automated registration process for most registrars to have a one click DNSSec. ISPs – Help them create simple DNSSec resolvers Users – Having an on/off DNSSec option enabled by default
Providing Incentives There are two possible ways KeNIC would like to accomplish this:  Make DNSSec a Requirement  Generate User demand
Make DNSSec a requirement  By contractual agreement where all registrars all obligated to support DNSSec  Any new registrar must have DNSSec resolver and knowledge on DNSSec  Collaboration with the government in ensuring government institutions deploy DNSSec.
Generate user Demand Need a reson to ”want” DNSSec. The potential reson is “Security” “Security” “Security”. Increase security:  This will only work if visible to end users  This requires education
Providing Incentives example  Target larger security conscious organisations • Lobby software developers to implement • Build DNSSEC as requirements into other applications (when it makes sense) • Find innovative uses for a secure DNS (e.g.. to supplement CAs)
 Intergration of DNSSec to our current system  DNSSec automation.  Equipments needed to run DNSSec to be in line with DNSSec best practice  Uptake of DNSSec after registry has implemented DNSSec  Lack of easily tools for registrars to deploy DNSSec in their environment. Most registrars in Kenya use WHM and Cpanel.  Organization stracture makes management of DNSSec complex Challenges on DNSSec Deployment for .ke
 DNSSec deploymenttechnically is not a hard task. The hard task is management of DNSSec and DNSSec policy developement  Registries can use softHSM if HSM is expensive. But this is not a best practice for DNSSec  There are free automation tools for DNSSec. Works well in the registry environment  Deployment of DNSSec for a registry ids not the last step. The last step is ensuring uptake of DNSSec by the end users Lessons Learned

Empfohlen

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...nadeemmj
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 

Empfohlen

DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasORG, The Public Interest Registry
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...
IMPROVED DATA PROTECTION MECHANISM FOR CLOUD STORAGE WITH THE USAGE OF TWO CO...nadeemmj
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKPunky Duero
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgEric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49ICANN
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Nagios 3
Nagios 3Nagios 3
Nagios 3zmoly
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Afnic
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECDeploy360 Programme (Internet Society)
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute versionTarique_1
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...Ambassador Labs
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
 

Weitere ähnliche Inhalte

Was ist angesagt?

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKPunky Duero
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgEric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemSeungjoo Kim
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49ICANN
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Nagios 3
Nagios 3Nagios 3
Nagios 3zmoly
 

Was ist angesagt? (9)

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSKDefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric VanderburgNetworking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
 
Deep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection SystemDeep Learning Based Real-Time DNS DDoS Detection System
Deep Learning Based Real-Time DNS DDoS Detection System
 
Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49Name Collision Mitigation Update from ICANN 49
Name Collision Mitigation Update from ICANN 49
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
 

Ähnlich wie KeNIC DNSSec Case Study

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Afnic
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Real-Time Innovations (RTI)
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute versionTarique_1
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...Ambassador Labs
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXNoel McKeown
 
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Veritas Technologies LLC
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxsodhi3
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallGlenn McKnight
 
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docxaulasnilda
 
Kentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalKentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalSeventyeight Disgital
 

Ähnlich wie KeNIC DNSSec Case Study (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?Deploying DNSSEC: what, how and where ?
Deploying DNSSEC: what, how and where ?
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
Upgrade Your System’s Security - Making the Jump from Connext DDS Professiona...
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Itproadd 01 60 minute version
Itproadd 01 60 minute versionItproadd 01 60 minute version
Itproadd 01 60 minute version
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
2017 Microservices Practitioner Virtual Summit: Ancestry's Journey towards Mi...
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
Unlocking the Full Power of Your Backup Data with Veritas NetBackup Data Virt...
 
Linux and DNS Server
Linux and DNS ServerLinux and DNS Server
Linux and DNS Server
 
Reply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docxReply 1 neededThere are a couple of options available when upg.docx
Reply 1 neededThere are a couple of options available when upg.docx
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
1Running head WINDOWS SERVER DEPLOYMENT PROPOSAL2WINDOWS SE.docx
 
Kentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight DigitalKentico hosting brochure - By Seventyeight Digital
Kentico hosting brochure - By Seventyeight Digital
 
Cl310
Cl310Cl310
Cl310
 

Mehr von Deploy360 Programme (Internet Society)

Mehr von Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

KeNIC DNSSec Case Study

  • 1. KeNIC –DNSSec Case Study 2nd June 2014 BY TOILEM PORIOT GODWIN
  • 2. 2 KeNIC INTRODUCTION  KeNIC is the ccTLD manager of the .ke namespace.  KeNIC is a not-for-profit organization.  KeNIC isis in the final process of Implementing DNSSec  Full Implementation expected to be complete by 12th June 2014.  KeNIC has a total of 170 registrars and a total of 36000 domains.
  • 3. .KE Registry Setup  .ke Top level is not open for registration.  KE has a propagation server and a Registration server for SLD registartion.  Registry server generates zone files after domain registration and forwards domains every 30 mins to the Porpagation server  Domain details are stored in the registry server and only the zone file generated by the registry are sent to the propagation server  Domain registration has been automated to the registry via EPP and 50% of registrars are fully automated.
  • 4. .ke DNSSec Delpoyment Roadmap  Interest on setting up of DNSSec in kenya started in 2010 .  DNSSec deployment was planned to start in May 2012.  Setup started in 2013 after the first DNSSec Roadshow by ICANN.  An upated DNSSec Test server was setup in June 2013.  The most challenging part was the development of .ke DNSSec Practice Statements( policy ) which determines how DNSSec will be deployed.
  • 5. .ke DNSSec Delpoyment Roadmap  Phase after setting up the test server was to simulate the root servers. This would help use develop a real life chain of trust.  DNSsec Deployed on the propagation server and IANA database updated on 17th March 2014  April 17th 2014 the first ZSK key rollover fo .ke  DNSSec deployed on registry test server for SLDs on 17th April 2014  DNSSec will be deployed on Registry System 12th June 2014
  • 6. DNS and DNSSec Introduction  The DNS is a critical piece of the Internet s infrastructure and makes a‟ natural target for people and organizations attempting to abuse the Internet. Threats to the DNS take many forms.  Some threats are attacks on the zone files and servers that make up the infrastructure of the DNS.  To understand DNSSEC – and what it can and cannot provide – a basic understanding of the threats to the DNS is important.  The DNS is subject to security problems in three key areas: confidentiality, integrity and availability. For the purposes of this work a loss of confidentiality is the unauthorized disclosure of or access to information. A loss of integrity is the unauthorized modification or destruction of information. And a loss of availability is the disruption of access to the underlying service.  DNSSEC is not an extension that provides tools for ensuring confidentiality or availability. Instead, its goal is to ensure integrity
  • 7. Technical Solution on DNSSec Deployment Some issues that affect the DNSSec deployment had to be looked at first:  Update of Bind to a version that supports DNSSec  Update of both Registry and Propagation Server OS to OS versions that easily support applications that automate DNSSec  Key storage and management Module.  Update of the registry System  Ensure initial systems work well with the updated systems
  • 8. Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system
  • 9. Technical Solution on DNSSec Deployment cont.. To solve the issues previosly listed, KeNIC had to:  Run two DNSSec systems in parallel:  Run manual DNSSec on the propagation server  Automate DNSSec on the registry system  This is because .ke zone does not change a lot. And frequent resign on the zone is not needed  The registry server updates the zone files every 30 mins and would require automation  The registry system updated to the current version that will allow regsitrars upload DS record of a domain to the registry system  Use of softHSM for key storage and management(this will be used for a year before migrating to HS)  Use Opendnssec for DNSSec automation.
  • 10. DNSSec Uptake Strategy  Another major challenge of DNSSec after deployment is ensuring registrars and registrants use the technology  This is attributed to the cost of managing and setting up a DNSSec environment.  The biggest challenge is making a Business case for DNSSec  As a registry KeNIC iwill help create a business case for DNSSec to increase uptake of DNSSec.
  • 11. Creating DNSSEc business case We can help create a business case by:  Reduce the effort(cost) for DNSSec implementation  Provide incentives to the registrars
  • 12. Reduce the effort (cost) This simply means brining down the cost of DNSSec implementation. This can be achieved by:  Research and share  Simplifying DNSSec implementation for registrars  Automation  Reduce the risk of DNSSec implementation
  • 13. Examples of reducing the effort For regsitrars – Developing toolkits registrars can patch into their Domains managemnet system. We have a similar thing for registrar-registry automation For registrants – Update the already automated registration process for most registrars to have a one click DNSSec. ISPs – Help them create simple DNSSec resolvers Users – Having an on/off DNSSec option enabled by default
  • 14. Providing Incentives There are two possible ways KeNIC would like to accomplish this:  Make DNSSec a Requirement  Generate User demand
  • 15. Make DNSSec a requirement  By contractual agreement where all registrars all obligated to support DNSSec  Any new registrar must have DNSSec resolver and knowledge on DNSSec  Collaboration with the government in ensuring government institutions deploy DNSSec.
  • 16. Generate user Demand Need a reson to ”want” DNSSec. The potential reson is “Security” “Security” “Security”. Increase security:  This will only work if visible to end users  This requires education
  • 17. Providing Incentives example  Target larger security conscious organisations • Lobby software developers to implement • Build DNSSEC as requirements into other applications (when it makes sense) • Find innovative uses for a secure DNS (e.g.. to supplement CAs)
  • 18.  Intergration of DNSSec to our current system  DNSSec automation.  Equipments needed to run DNSSec to be in line with DNSSec best practice  Uptake of DNSSec after registry has implemented DNSSec  Lack of easily tools for registrars to deploy DNSSec in their environment. Most registrars in Kenya use WHM and Cpanel.  Organization stracture makes management of DNSSec complex Challenges on DNSSec Deployment for .ke
  • 19.  DNSSec deploymenttechnically is not a hard task. The hard task is management of DNSSec and DNSSec policy developement  Registries can use softHSM if HSM is expensive. But this is not a best practice for DNSSec  There are free automation tools for DNSSec. Works well in the registry environment  Deployment of DNSSec for a registry ids not the last step. The last step is ensuring uptake of DNSSec by the end users Lessons Learned