![Page 1: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/1.jpg)
DNSSEC Deployment Activity in Japan- Introduction of DNSSEC Japan -
Yoshiki Ishida, Yoshiro Yoneya, Tsuyoshi Toyono, Miki Takata
DNSSEC Japan
![Page 2: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/2.jpg)
Agenda
• Background
• Introduction of DNSSEC Japan
• Accomplishments from the activity
• Future plan
![Page 3: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/3.jpg)
Agenda
• Background
• Introduction of DNSSEC Japan
• Accomplishments from the activity
• Future plan
![Page 4: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/4.jpg)
Background(1)
• DNSOPS.jp– DNS Operators Group in Japan– Voluntary DNS operators community in Japan– Established on June 2006, forked from JANOG
• JANOG(Japan Network Operators’ Group)• http://www.janog.gr.jp/
– The Purpose of DNSOPS.jp is to share know-how and to discuss about daily DNS operations
– Activities:• Semiannual BoFs (about 100 participants)• ML (about 1400 subscribers)• http://dnsops.jp/ (Japanese only)
![Page 5: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/5.jpg)
Background(2)
• DNSSEC deployment is now ongoing – Almost DNS operators are not ready for DNSSEC.
– It is difficult to adopt DNSSEC for average DNS operators, who have no documents in Japanese, no experience, no know-how, and no L10N activity
– Signing schedules are coming up not only “.JP” but also other TLDs
– DNS operators entreat DNSSEC deployment activity both in Japan and in Japanese
– A collaboration group is needed especially at its introduction phase
![Page 6: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/6.jpg)
Internet Service Provider
The Internet
Players around DNSSEC
Recursive DNS servers
End Users
Domain Name Resellers
Security ApplianceHome Routers/Adapters
Domain Name Registrars
Customer Support
Registrants
Contents Servers(Web/Mail Servers)root, gTLDs, ccTLDs…Domain Name Registries
Authoritative DNS servers
![Page 7: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/7.jpg)
Environment around DNS operators
7
There is a request for adopting DNSSEC from a
customer.
Do We need replacement of DNS Servers?
How much does it cost?Do we make it money?
How do we transfer a domain?
We cannot operate entire systems smoothly
I cannot access the Internet.
Knowledge and Expertise about DNSSEC are not widespread!
DNS operators must decide: adopting DNSSEC or not, when and how, toll or free.
![Page 8: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/8.jpg)
Agenda
• Background
• Introduction of DNSSEC Japan
• Accomplishments from the activity
• Future plan
![Page 9: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/9.jpg)
DNSSEC Japan
• The Charter of DNSSEC Japan (DNSSEC.jp)– Name of the Organization
The official name of this organization is “DNSSEC Japan” and abbreviated as “DNSSEC.jp”.
– The Charter“DNSSEC Japan (DNSSEC.jp)” is established as a forum for domain name registries, registrars, registrants and relevant parties such as DNS and network operators with the aim of introducing and deploying DNSSEC that enhances security of the DNS.DNSSEC.jp makes it a principle to carry out activities based on the mutual cooperation by participants.
![Page 10: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/10.jpg)
DNSSEC Japan
• Objectives and Activities of DNSSEC.jp1) Objectives
DNSSEC.jp intends to sort out and discuss issues in relation to deployment and operation of DNSSEC to enhance technical capability of participants and sharing of technical expertise. It also conducts outreach activities such as providing relevant tools and giving technical commentaries.
2) ActivitiesActivities of DNSSEC.jp are:
• To sort out and share issues regarding introduction and operation of DNSSEC;• To conduct technical verifications and accumulate expertise for introduction
and operation of DNSSEC;• To develop BCP relating to introduction and operation of DNSSEC; and• To deploy DNSSEC through propagating results of its activities.
• Established on 24 November 2009
![Page 11: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/11.jpg)
DNSSEC Japan
• Membership (35 organizations as of January)
– Registry/Registrar
– Carrier/IXP
– ISP
– Hosting Provider
– Contents Provider
– Vendor/System Integrator
– Internet-Related Organizations
![Page 12: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/12.jpg)
Member List
• Member List
Augment Inc. NetAgent Co., Ltd.
Boot Communication Co., LTD. NeuStar Inc.
Broadband Tower, Inc. NRI Secure Technologies, Inc.
Digital-Effect Network Co., Ltd. NTT Communications Corporation
DNS Operators Group, Japan NTTPC Communications, Inc. Future Spirits Co., Ltd. Rakuten, Inc.
GMO Hosting & Security Inc. Sakura Internet Inc.
Infoblox Inc. SANYO Information Technology Solutions Inc.
Internet Multifeed Co. Sarion Systems Research
Internet Initiative Japan Inc. SOFTBANK BB Corp. Internet Research Institute, Inc. SOFTBANK TELECOM Corp.
Japan Computer Emergency Response Team Coordination Center
So-net Entertainment Corporation
Japan Internet Exchange Co., Ltd. STNet Inc.
Japan Network Information Center Telecom-ISAC Japan
Japan Registry Services Co., Ltd. Thales Japan, Inc.
Livedoor Co., Ltd. Tokyo Electron Device Limited
Mirai Communication Network Inc. YOYO Planning
NEC BIGLOBE Ltd.
![Page 13: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/13.jpg)
DNSSEC Japan
• Structure– Officers
• Chairman: Yoshiki Ishida• Co-Chairman: Tsuyoshi Toyono , Yoshiro Yoneya
– Plenary Meeting(bi-monthly)• Technology Verification WG(Tech-WG) chaired by Tsuyoshi Toyono• Public Relations WG(Pub-WG) chaired by Miki Takata
• Public Relations(in Japanese)– Web
• http://dnssec.jp/
– twitter• @dnssec_jp, #dnssec_jp
![Page 14: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/14.jpg)
DNSSEC Japan
![Page 15: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/15.jpg)
DNSSEC Japan
• Activities– Technology Verification and Research Activities
• Summary on international trends
• Survey on the interface between registrars and registries
• Operational tools
• Verification of network equipments
• Registrar transfer / BCP method verification
• Simulation scenarios
• Proper method of introducing the trust anchor into recursive DNS servers
![Page 16: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/16.jpg)
DNSSEC Japan
• Events– March - September, 2010: Study group on DNSSEC protocols and
its operational technology with hands-on– July 21, 2010: DNSSEC 2010 Summer Forum– November 15, 2010: DNSSEC Service Model Workshop– November 25, 2010: DNS DAY (within Internet Week 2010)– April, 2011: DNSSEC 2011 Spring Forum (coming)
• Public Relations– Presentations at some related conferences in Japan– Disclosure of all accomplishments on the Web
• Miscellaneous– Logo contest (July , 2010)– Novelties sponsored by JPRS
This is keyhole
![Page 17: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/17.jpg)
DNSSEC Japan
• DNSSEC 2010 Summer Forum– Date: 21 July, 2010– Agenda
• What is DNSSEC • Introduction of DNSSEC Japan• DNSSEC Japan's Working Group• The status of root zone signing• The status of ccTLD, gTLD zone signing• The schedule of “.JP” zone signing• DNSSEC Key Management• Clothing
– Participants: 120• ISP, DNS Provider, Hosting , SIer, DNS operators at enterprise and
academic organizations, etc.
![Page 18: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/18.jpg)
DNSSEC Japan
• DNSSEC Service Model Workshop– Date: 15 November, 2010– Closed Meeting– Participants: 12
• Carrier, ISP, Hosting Provider, Registrar, Registry
– Discussion about DNSSEC Service Model• Service Styles
– Authoritative DNS servers– Recursive DNS servers
• Charge
– Some Practices derived from the discussion were presented at “DNS Day” on 25 November, 2010
![Page 19: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/19.jpg)
Agenda
• Background
• Introduction of DNSSEC Japan
• Accomplishments from the activity
• Future plan
![Page 20: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/20.jpg)
Purpose of Tech-WG
1. To investigate what kind of effect will occur on WG members’ service and products, and to verify them in a lab environment.
2. To check the DNSSEC status of WG members’ services and products, and to share and accumulate operational know-how.
3. To publish guidelines and BCPs from accumulated expertise.
20
![Page 21: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/21.jpg)
Publication List from Tech-WG
• DNSSEC mechanisms and the present status– Brief summary of DNSSEC and the present state of it.
• Issues on adopting DNSSEC– Summarized issues which each player should consider in case of adopting
DNSSEC.
• How to set up DNSSEC trust anchors for the resolver– Best current practice on configuring trust anchor to recursive DNS server (or
resolver) in secure way.
• Report on the DS registration interface for the various registries– Tech-WG carried out in the summary of research on the interface for the
registry key.
• Registrar Transfer Guideline– Guideline of Practical methods for Registrar transfer
![Page 22: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/22.jpg)
User Query
Internet
Scenario Simulation -Registrar
22
Parent Zone(gTLDs,ccTLDs)
Authoritative DNS servers
Load BalancersRegistration
NAT
global
Domain Name Registration
User I/F for Registrants(eg. Web)
Customer DBRR Management DB
![Page 23: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/23.jpg)
User Query
Internet
Scenario Simulation -Registrar
23
Parent Zone(gTLDs,ccTLDs)
Authoritative DNS servers
Load BalancersRegistration
NAT
global
Domain Registration
User I/F for Registrant(via Web)
Customer DBRR Management DB
ユーザ登録UI(Webなど)
Generation of a key
Update (transfer)
Deletion of the key
Key Management DB
Key GenerationZone Signing
Performance of LBs
Performance of Servers
DNSSEC KeyRegistration I/F
![Page 24: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/24.jpg)
User Query
Internet
Scenario Simulation -Registrar
24
Parent Zone(gTLDs,ccTLDs)
Authoritative DNS servers
Load BalancersRegistration
NAT
global
Domain Registration
User I/F for Registrant(via Web)
Customer DBRR Management DB
U I/F Restriction
Key management DB
Rate Limit
Registration System
Signing. Key generation, Key rolloverZone data submission, order to reload
Zone copyreload
Key generation Server
![Page 25: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/25.jpg)
Results from Scenario Simulation
• There are many point of changing specification– Key generation, Key management, zone signing, update
DNS servers– Key registration systems must be changed according to
registry systems
• User Interface for registrants is very important– DNSSEC signing, unsigning– Delete, re-regsitration
• Registrar must review all configurations– Load Balancers– Rate Limit against amplifier attack or DDoS attack– TCP port53 Filtering
25
![Page 26: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/26.jpg)
Results from Service Model Workshop
• Adopting DNSSEC into the Service– There is no “Active” Motivation.
• Cost: very expensive• Additional Income: very small (or none)
• “Passive” Motivations– Risk is very high when security incidents or accidents occur.– Business Chances may be lost without DNSSEC skills.
• Suggestions:– Adopting DNSSEC has little advantages but not adopting
has many disadvantages– Service Providers should decide when and how they adopt
DNSSEC in a short time
![Page 27: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/27.jpg)
Registrars and DNS Service Providers
• Authoritative DNS servers side
– TLD Registries adopt or will adopt DNSSEC
– Registrars should consider whether they adopt or not
– DNS Service Providers are same as above
• Recursive DNS servers side
– Internet Service Providers should consider whether they adopt or not, and when and how if they adopt
![Page 28: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/28.jpg)
Unofficial status among members
Name Service Style Owner of keys Fee When?
C Optional Service Provider Toll Mar, 2011
D Optional Service Provider Free TBD
E Default Service Provider Free TBD
F Default for New Customers Provider Free Mar, 2011
G System Integration & Outsourcee Individual Support Toll Jan, 2011
H OEM Service for Small ISPs Provider Toll Mar, 2011
Name Service Style Owner of keys Fee When?
A DS Record Handling Registrant Free TBD
B DS Record Handling Registrant Toll Mar, 2011
Registrar
Authoritative DNS Provider
![Page 29: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/29.jpg)
Unofficial Status among members
ISP(Recursive DNS Server Provider)Name Owner of keys Fee When?
I Dual Types of Service/Opt-in Free Jan, 2011
J Validation Enabled for certain services Free TBD
K TBD Free TBD
L Validation Enabled Free TBD
• SANYO Information Technology Solutions(SANNET) has enabledDNSSEC validation on 21 Jul 2010.
![Page 30: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/30.jpg)
time
Res
ou
rces
fo
rR
ecu
rsiv
e D
NS
serv
ers
Gap of Resources for Enabling DNSSEC Validation at this timeNo Validation
ValidationEnable
ISP X
ISP Y
Investment for Recursive DNS Servers
Now
![Page 31: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/31.jpg)
Agenda
• Background
• Introduction of DNSSEC Japan
• Accomplishments from Activities
• Future Plan
![Page 32: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/32.jpg)
Future Plan of DNSSEC.jp
• Collections of failure knowledge on DNSSEC operation and sharing them among operators
• Measurement of DNSSEC deployment in Japan in cooperation with JPRS
• “DNSSEC enabled” logo for service providers• Translation of our documents into English or
other languages(Call for Volunteers)• Transferring all knowledge and materials to DNS
operators as regular basis after introduction phase is finished
![Page 33: DNSSEC Deployment Activity in Japan - Introduction of ...dnssec.jp/.../2012/...deployment-activity-in-japan.pdfdeployment and operation of DNSSEC to enhance technical capability of](https://reader036.vdocuments.us/reader036/viewer/2022081406/5f10312b7e708231d447e634/html5/thumbnails/33.jpg)