![Page 2: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/2.jpg)
ThisdesignistheresultofacooperaHonbetweenICANN&VeriSignwith
supportfromtheU.S.DepartmentofCommerceNTIAandNaHonalInsHtuteof
StandardsandTechnology(NIST)
![Page 3: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/3.jpg)
HighLevelDesign• Trust/Integrity
– Transparentopera1ons– Directpublicpar1cipa1oninkeymanagement
– 3rdpartyAudit• Security
– Crypto– Physical– ID/ACS/mul1‐personaccessandcontrol
• Availability– Sufficient1metoperformopera1ons
– Mirrorsites– Disasterrecoveryplan
![Page 4: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/4.jpg)
ImplementaHonandRoll‐out• Publishallmaterial(film,scripts,s/w,results..hIp://www.iana.org/dnssec)
• DNSSECPrac1cesStatement(DPS)
• 21TrustedCommunityRepresenta1ves(TCR)• SysTrustauditbyPWC
• 2048KSK,1024ZSKRSAkeys;SHA256hash
• FIPS140‐2Level4HSM;3‐of‐7TCRtoenable;GoodRNG
• Mul1plephysical1ers/wmul1‐personan1‐passbackaccesscontrolsystem
• 9gaugestretchedmetalceremonyroomconstruc1on;Safescer1fiedto20hourssurrep11ousentry
• 24x7monitoring:mo1on,seismic,video,guards
• ~60daywindowtoperformquarterlyopera1on;15daysignaturevalidityperiods
• MirrorsitesinLosAngelesandWashingtonDC;2HSMsateachsite
• DocumentedDisasterRecovery(DR)plans
• IncrementaldeploymentwithDURZandextensivemonitoring
![Page 5: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/5.jpg)
Challenges
• Findingoutwhatare“bestpracHces”• EmbracinganauditedITsecuritymindset
• FormalizingdocumentaHonofpolicyandprocedures
• Contractors!!• HSM/smartcards/PKCS11
![Page 6: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/6.jpg)
LessonsLearned
• IdenHfyyour“customer”andthenyourrisksfirst
• Developanddocumentpoliciesandprocedures,e.g.,keymanagement,DPS,scripts,DRplan–andinsHtuHonalizethem
• EmbracePKCS11andtamperevidentbags
• MulHplecompensaHngcontrols• DNSSECdeploymentdoesnothavetobeexpensive;Learn
fromthoseonthispanelandshareourexperiences.
• ThisisnotstaHc;annualreviewandincorporateimprovementsfromcommunity.
![Page 7: Root Zone DNSSEC Deployment - ICANN GNSOgnso.icann.org/.../presentation-root-zone-dnssec-deployment-08dec10-en.pdfRoot Zone DNSSEC Deployment ICANN 39, Cartagena, Colombia 8 December](https://reader033.vdocuments.us/reader033/viewer/2022043005/5f8c5f345d95a8581b3ef676/html5/thumbnails/7.jpg)
RootDNSSECDesignTeam
JoeAbleyMehmetAkcinDavidBlackaDavidConradRichardLambMaILarsonFredrikLjunggrenDaveKnightTomofumiOkuboJakobSchlyterDuaneWessels
..and so many others!!
Links:hIp://www.root‐dnssec.orghIp://www.iana.org/dnssec