mydnsipv6 –success story - internet society · internet identity for all mydnsipv6 –success...

Internet Identity For All

myDNSIPv6 – Success Story

By

Norsuzana Harun

Manager, Technology and Innovation Dept.

20th July 2009

© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 22

Agenda1. About myDNSIPv6

• myDNSIPv6 Roadmap (2006 ‐ 2010)2. myDNSIPv6 Test Bed3. 4 related changes to .my registry system

• .my Registry System ‐ Interface Changes• .my Registry System ‐ Backend Changes

4. Test Cases• Test Cases for Network Equipments• Test Cases for DNS Activities• Test Cases for Web Interface and Database


Agenda (cont)5. Registration to IANA6. IPv6 Connectivity and Security Audit7. Public Launch8. .my’s IPv6 Enabled Domain Names 9. The Way Forward10. Conclusion


About myDNSIPv6

To actualize and facilitate IPv4 to IPv6 transition as mandated in Malaysian Information, Communication and Multimedia Services 886 (MyICMS 886)

IPv6 is a mandated Infrastructure

Government agencies to adopt IPv6 by year 2010

To provide IPv4 and IPv6 enabled DNS registry system

Public are able to register .my domain name with IPv6 enabled name server(s)

4

Objectives


myDNSIPv6 Roadmap (2006 ‐ 2010)

2006 2007 2008 2008

a) Study current MYNIC's DNS system and DNS naming compression (512 bytes limitation)

b) Organize .my training related to DNS and IPv6 topics

a) .my Training related to DNS, IPv6 and Security topics

b) IPv6 awareness program road tour

c) Integrate IPv6 with other MYNIC projects (DNSSEC, myANYCAST and ENUM)

d) Security audit (Networks and Servers) by appointed auditor

a) Enhanced the registry system and testing

b) Launch IPv6 enabled .my registry system

c) Deployment of IPv6 for secondary DNS

d) Security audit and IPv6 connectivity test by appointed auditor

e) IPv6 Readiness Survey (Continue)

f) Organize MYNIC DNS security seminar (WCIT)

g) .my Training related to DNS, IPv6 and Security topics

a) Integrate IPv6 with other MYNIC projects (Webserver, mail and whois servers)

b) .my Training related to DNS, IPv6 and Security topics

c) Security audit (Networks and Servers) by appointed auditor

TRIAL PHASE DEPLOYMENT AWARENESS

2009 2010

a) Formation of R&D lab and server room

b) Develop and launch myDNSIPv6 Test bed for public to test in July

c) Organize .my training related to DNS and IPv6 topics

d) Organize seminar pertinent to DNS related technologies (NICE)

e) IPv6 Readiness Survey


myDNSIPv6 Test BedStarted on 17th July and closed on 30th August 2007

181 participants

58 testing domain registered

© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All

4 related changes to .my registry system Web Interface and Application

New domain registration will allow input and validation of IPv6 addresses for name serverCurrent domain name holder will able to assign IPv6 address for their name server

Backend and Network Change.my Domain Registry’s co‐location service provider need to enable the router to support dual‐stack (IPv4 & IPv6) Upgrade network equipments to support dual‐stack (IPv4 & IPv6)

7


4 related changes to .my registry system

DatabaseAdditional field to keep IPv6 address information

SecurityAppointed third party to audit our servers and networksHarden our servers and networks according to the audit reportUpgrade firewall and install IPS

8


Web interface comparison

Customers are able to enter IPv4 address only.

.my Registry System ‐ Interface Changes

Simplified page: Customers are not able to enter IP addresses. They have to use the Name Server Creation page (which is on the following slide).

9


Additional input field for IPv6 address


10


Name server modification

Customers able to view and modify the IPv4 & IPv6 addresses


11

2001:328:1000:3::102001:328:1000:3::11


Modify existing Name Server IP addresses


12

2001:328:1000:3::10

2001:328:1000:3::11


Dual stack firewall, IPS and DNS servers (wef: 16th Aug 08)

.my Registry System ‐ Backend Changes

Firewall IPv6 address DNS Servers IPv6 address

AAAA record

Reverse lookup for IPv6 address

A record

13


Test Cases for Network EquipmentsEquipment Test Description Objectives

Routers •Configure IPv6 address for the router•Test the network (which go through the router) by using IPv6 protocol

•To ensure the OS support IPv6 protocol

•To ensure the IPv6 transport able to go through the network

•To ensure the firewall also able to filter IPv6 address

Firewall •Configure IPv6 address for the Firewall•Test the network (which go through the firewall) by using IPv6 protocol

IPS (Intrusion Prevention System)

•Configure IPv6 address for the IPS•Test the network (which go through the IPS) by using IPv6 protocol

Switches(layer 2)

•Use the switches to connect 2 IPv6 network segments

•To ensure the IPv6 transport able to go through the network


Test Cases for DNS ActivitiesActivities Test Description Objectives

DNS Query •Use a dig command to query the data from IPv4 only DNS, IPv6 only DNS and also dual stack DNS

•To ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack

•To verify IPv6 protocol is the preferred protocol for the process Zone Transfer •Use a dig +axfr command to

check the zone transfer activities, check the bind log to find out the transaction is run on v4 or v6 transport

•To ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack

•To verify IPv6 protocol is the preferred protocol for the process DNS Extension

for IPv6(EDNS0 or Data size)

•Create a large (huge) zone of domain, and do a dig to it authoritative server, make sure the respond datagram’s size is larger than 512 octets

•To ensure the respond data will not get loss if the respond datagram’s size is larger than 512 octets


Test Cases for Web Interface and DatabaseActivities Test Description Objectives

New registration

•Submit different type of IPv6 address format through the online DNS registration form

•To ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons

•Filter and reject all the invalid IPv6 addresses being insert into the databaseModification •Submit different type of

IPv6 address format through the online DNS modification form

•To ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons.

•Filter and reject all the invalid IPv6 addresses being insert into the databaseDatabase field • Insert different type of IPv6

data format into the database field

•To ensure the data field has correct data type and enough field length to keep IPv6 data


.my’s DNS Server Registration to IANA

• Can only proceed when the name server is ready with IPv6 in production environment

• Registration being made under “Requests by ccTLD Managers to Change Name servers” procedure.

• The IANA is responsible for receiving and acting on requests by the designated ccTLD managers to change information (name and IP address)

• The request submission date was on 19th August 2008

• Updated the glue record by IANA on 26th August 2008


.my’s DNS Server Registration to IANA (cont)


http://www.iana.org/domains/root/db/my.html.my’s DNS Server Registration to IANA (cont)


Certificate for IPv6 Level 1 Network connectivity

Certificate for Security Audit

IPv6 Connectivity and Security Audit


Public Launch

Launch myDNSIPv6 on 23th Nov 2009

.my Domain Registry are no 127th TLD support IPv6 out of 296 TLD in the world


.my’s IPv6 Enabled Domain NamesAccording to categories


.my’s IPv6 Enabled Domain Names (cont)

Low adoption from domain name’s holder. As of 18th July 2009, only 17 or 0.02% out of 83,319 .my domain names support IPv6

Possible Reasons (???) :1. No urgency for the migration/IPv62. Lack of technical expertise for IPv63. Lack of awareness programs 4. Motivation factors


.my’s IPv6 Enabled Domain Names (cont)

Domain Name Primary Primary IPv6 Secondary Secondary IPv6

1 bsd.my benkyo.mybsd.org.my

2001:328:2002:ace::1000 ns1.everydns.net ‐

2 cybershop.my ns1.my 2001:328:ff00:1:215:c5ff:fe60:74f8

ns2.my ‐

3 erion.m y n1.erion.my 2001:470:1f08:61d::2 n2.erion.my 2001:960:2:585::2

4 hack.my benkyo.mybsd.org.my

2001:328:2002:ace::1000 ns2.afraid.org ‐

5 infoweapons.my atlcolodns1.infoweapons.com

2001:418:5403::2 atlcolodns2.infoweapons.com

2001:418:5403::3

6 jaring.my dns2.jaring.my 2001:328:200:ab::100 ns7.jaring.my ‐

7 ns1.my ns1.my 2001:328:ff00:1:215:c5ff:fe60:74f8

ns2.my ‐

8 ntt.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24

9 void.my benkyo.mybsd.org.my

2001:328:2002:ace::1000 ns2.afraid.org ‐

Category: .my (9)


.my IPv6 Enabled Domain Names (cont)


.net.my

1 arcnet6.net.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24

2 infoweapons.net.my atlcolodns1.infoweapons.com


2001:418:5403::3

3 myren.net.my ns1.myren.net.my 2404:a8:400:2000::53

ns2.myren.net.my

‐

.org.my

1 myren.org.my ns1.myren.net.my 2404:a8:400:2000::53

ns2.myren.net.my

‐

2 neohumanist.org.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24

Category: .net.my (3) and .org.my (2)


.my IPv6 Enabled Domain Names (cont)


1 arcnet6.com.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24

2 infoweapons.com.my atlcolodns1.infoweapons.com


2001:418:5403::3

3 myren.com.my ns1.myren.net.my 2404:a8:400:2000::53

ns2.myren.net.my ‐

Category: .com.my (3)


The Way Forward Keep up‐to‐date on IPv6 activities around the world

Attend and join IPv6 related eventsJoining IPv6 Working group ( MSTFB, AP‐IPv6 Task Force ) ‐ encourage registration of domain with IPv6 Name servers

Integrate IPv6 with other .my DOMAIN REGISTRY projects (DNSSEC, myANYCAST, ENUM, Webserver, mail and whois servers).MY Domain Registry is seriously put an effort on awareness program for public to increase the number of domain with IPv6

Conduct series of IPv6 technology workshops / seminars / training

27


Conclusion

28

• This project took about 3 years to get into production and at this time we are focusing on IPv6 at our secondary

• Testing Firewalls for IPv6 and EDNS0 Support(http://www.icann.org/en/committees/security/sac016.htm)

• Good practice for migration is to start with dual stack approach


Thank You!

[email protected]://rnd.domainregistry.my

29

mydnsipv6 –success story - internet society · internet identity for all mydnsipv6 –success...

Documents