ion mumbai - jitender kumar: dnssec
DESCRIPTION
Jitender Kumar's presentation from ION Mumbai on 11 October 2012TRANSCRIPT
![Page 2: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/2.jpg)
© Afilias Limited
• About Afilias
• DNSSEC
• DNSSEC Signing
• DNSSEC Validation
• Afilias’s Role in DNSSEC Deployment
Agenda
ION Conference, Mumbai, October 2012
![Page 3: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/3.jpg)
© Afilias Limited
About Afilias
ICANN contracted gTLDs
Country Code TLDs
• Best known for domain name registry services
• Supporting 21M names across 16 TLDs
ION Conference, Mumbai, October 2012
![Page 4: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/4.jpg)
© Afilias Limited
• A set of security extensions to the existing DNS protocol added by the Internet Engineering Task Force (IETF).
• DNSSEC provides : – Authentication of the source of the information in a DNS
response – Integrity of the information in a DNS response – Authenticated denial of existence
• DNSSEC doesn’t provide : – Confidentiality, access control lists, or other means of
differentiating between inquirers. – Protection against Denial of Service (DoS) attacks
• Two principle deployment dimensions for us to consider – Signing; and – Validating
What is DNSSEC ?
ION Conference, Mumbai, October 2012
![Page 5: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/5.jpg)
© Afilias Limited
• Afilias has been signing TLDs since before the root zone was signed
• We are responsible for the key material used for the signing process, including publication
• .IN Registry has been one of the early adopter of DNSSEC, facilitated by Afilias as we are the registry services provider
• NamesBeyond and Net4India, registrars who have deployed DNSSEC services
Signing
ION Conference, Mumbai, October 2012
![Page 6: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/6.jpg)
© Afilias Limited
• Our DNS provides authoritative responses
when queried about a zone that we manage
• Afilias provides the DS record that enables
validation of signed domains in TLDs we host
• Registrars are responsible for ensuring the
registry has the public key information it
needs for the DS record
Validating
ION Conference, Mumbai, October 2012
![Page 7: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/7.jpg)
© Afilias Limited
• The public key information needed for the DS record is managed by the DNS hosting provider
• Everything works great as long as the registrar is the DNS hosting provider
• When a third party DNS hosting provider is used there needs to be an interaction between the registrar and that provider
• This is currently a manual copy-and-paste
Gap In The System
ION Conference, Mumbai, October 2012
![Page 8: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/8.jpg)
© Afilias Limited
• http://www.internetsociety.org/what-we-do/technology-matters/dnssec
Reference
ION Conference, Mumbai, October 2012
![Page 9: ION Mumbai - Jitender Kumar: DNSSEC](https://reader033.vdocuments.us/reader033/viewer/2022052216/5555d473d8b42aaf158b4eaf/html5/thumbnails/9.jpg)
© Afilias Limited
THANK YOU
ION Conference, Mumbai, October 2012