mydnsipv6 –success story - internet society · internet identity for all mydnsipv6 –success...
TRANSCRIPT
Internet Identity For All
myDNSIPv6 – Success Story
By
Norsuzana Harun
Manager, Technology and Innovation Dept.
20th July 2009
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 22
Agenda1. About myDNSIPv6
• myDNSIPv6 Roadmap (2006 ‐ 2010)2. myDNSIPv6 Test Bed3. 4 related changes to .my registry system
• .my Registry System ‐ Interface Changes• .my Registry System ‐ Backend Changes
4. Test Cases• Test Cases for Network Equipments• Test Cases for DNS Activities• Test Cases for Web Interface and Database
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 33
Agenda (cont)5. Registration to IANA6. IPv6 Connectivity and Security Audit7. Public Launch8. .my’s IPv6 Enabled Domain Names 9. The Way Forward10. Conclusion
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 4
About myDNSIPv6
To actualize and facilitate IPv4 to IPv6 transition as mandated in Malaysian Information, Communication and Multimedia Services 886 (MyICMS 886)
IPv6 is a mandated Infrastructure
Government agencies to adopt IPv6 by year 2010
To provide IPv4 and IPv6 enabled DNS registry system
Public are able to register .my domain name with IPv6 enabled name server(s)
4
Objectives
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 55
myDNSIPv6 Roadmap (2006 ‐ 2010)
2006 2007 2008 2008
a) Study current MYNIC's DNS system and DNS naming compression (512 bytes limitation)
b) Organize .my training related to DNS and IPv6 topics
a) .my Training related to DNS, IPv6 and Security topics
b) IPv6 awareness program road tour
c) Integrate IPv6 with other MYNIC projects (DNSSEC, myANYCAST and ENUM)
d) Security audit (Networks and Servers) by appointed auditor
a) Enhanced the registry system and testing
b) Launch IPv6 enabled .my registry system
c) Deployment of IPv6 for secondary DNS
d) Security audit and IPv6 connectivity test by appointed auditor
e) IPv6 Readiness Survey (Continue)
f) Organize MYNIC DNS security seminar (WCIT)
g) .my Training related to DNS, IPv6 and Security topics
a) Integrate IPv6 with other MYNIC projects (Webserver, mail and whois servers)
b) .my Training related to DNS, IPv6 and Security topics
c) Security audit (Networks and Servers) by appointed auditor
TRIAL PHASE DEPLOYMENT AWARENESS
2009 2010
a) Formation of R&D lab and server room
b) Develop and launch myDNSIPv6 Test bed for public to test in July
c) Organize .my training related to DNS and IPv6 topics
d) Organize seminar pertinent to DNS related technologies (NICE)
e) IPv6 Readiness Survey
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 6
myDNSIPv6 Test BedStarted on 17th July and closed on 30th August 2007
181 participants
58 testing domain registered
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
4 related changes to .my registry system Web Interface and Application
New domain registration will allow input and validation of IPv6 addresses for name serverCurrent domain name holder will able to assign IPv6 address for their name server
Backend and Network Change.my Domain Registry’s co‐location service provider need to enable the router to support dual‐stack (IPv4 & IPv6) Upgrade network equipments to support dual‐stack (IPv4 & IPv6)
7
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
4 related changes to .my registry system
DatabaseAdditional field to keep IPv6 address information
SecurityAppointed third party to audit our servers and networksHarden our servers and networks according to the audit reportUpgrade firewall and install IPS
8
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Web interface comparison
Customers are able to enter IPv4 address only.
.my Registry System ‐ Interface Changes
Simplified page: Customers are not able to enter IP addresses. They have to use the Name Server Creation page (which is on the following slide).
9
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Additional input field for IPv6 address
.my Registry System ‐ Interface Changes
10
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Name server modification
Customers able to view and modify the IPv4 & IPv6 addresses
.my Registry System ‐ Interface Changes
11
2001:328:1000:3::102001:328:1000:3::11
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Modify existing Name Server IP addresses
.my Registry System ‐ Interface Changes
12
2001:328:1000:3::10
2001:328:1000:3::11
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Dual stack firewall, IPS and DNS servers (wef: 16th Aug 08)
.my Registry System ‐ Backend Changes
Firewall IPv6 address DNS Servers IPv6 address
AAAA record
Reverse lookup for IPv6 address
A record
13
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 14
Test Cases for Network EquipmentsEquipment Test Description Objectives
Routers •Configure IPv6 address for the router•Test the network (which go through the router) by using IPv6 protocol
•To ensure the OS support IPv6 protocol
•To ensure the IPv6 transport able to go through the network
•To ensure the firewall also able to filter IPv6 address
Firewall •Configure IPv6 address for the Firewall•Test the network (which go through the firewall) by using IPv6 protocol
IPS (Intrusion Prevention System)
•Configure IPv6 address for the IPS•Test the network (which go through the IPS) by using IPv6 protocol
Switches(layer 2)
•Use the switches to connect 2 IPv6 network segments
•To ensure the IPv6 transport able to go through the network
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 15
Test Cases for DNS ActivitiesActivities Test Description Objectives
DNS Query •Use a dig command to query the data from IPv4 only DNS, IPv6 only DNS and also dual stack DNS
•To ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack
•To verify IPv6 protocol is the preferred protocol for the process Zone Transfer •Use a dig +axfr command to
check the zone transfer activities, check the bind log to find out the transaction is run on v4 or v6 transport
•To ensure the DNS query can be functioning between IPv4 only, IPv6 only and dual stack
•To verify IPv6 protocol is the preferred protocol for the process DNS Extension
for IPv6(EDNS0 or Data size)
•Create a large (huge) zone of domain, and do a dig to it authoritative server, make sure the respond datagram’s size is larger than 512 octets
•To ensure the respond data will not get loss if the respond datagram’s size is larger than 512 octets
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 16
Test Cases for Web Interface and DatabaseActivities Test Description Objectives
New registration
•Submit different type of IPv6 address format through the online DNS registration form
•To ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons
•Filter and reject all the invalid IPv6 addresses being insert into the databaseModification •Submit different type of
IPv6 address format through the online DNS modification form
•To ensure the IPv6 addresses are 128 bits long, written in hexadecimal, and separated by colons.
•Filter and reject all the invalid IPv6 addresses being insert into the databaseDatabase field • Insert different type of IPv6
data format into the database field
•To ensure the data field has correct data type and enough field length to keep IPv6 data
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 1717
.my’s DNS Server Registration to IANA
• Can only proceed when the name server is ready with IPv6 in production environment
• Registration being made under “Requests by ccTLD Managers to Change Name servers” procedure.
• The IANA is responsible for receiving and acting on requests by the designated ccTLD managers to change information (name and IP address)
• The request submission date was on 19th August 2008
• Updated the glue record by IANA on 26th August 2008
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 1818
.my’s DNS Server Registration to IANA (cont)
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 19
http://www.iana.org/domains/root/db/my.html.my’s DNS Server Registration to IANA (cont)
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 20
Certificate for IPv6 Level 1 Network connectivity
Certificate for Security Audit
IPv6 Connectivity and Security Audit
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 21
Public Launch
Launch myDNSIPv6 on 23th Nov 2009
.my Domain Registry are no 127th TLD support IPv6 out of 296 TLD in the world
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 2222
.my’s IPv6 Enabled Domain NamesAccording to categories
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 23
.my’s IPv6 Enabled Domain Names (cont)
Low adoption from domain name’s holder. As of 18th July 2009, only 17 or 0.02% out of 83,319 .my domain names support IPv6
Possible Reasons (???) :1. No urgency for the migration/IPv62. Lack of technical expertise for IPv63. Lack of awareness programs 4. Motivation factors
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 2424
.my’s IPv6 Enabled Domain Names (cont)
Domain Name Primary Primary IPv6 Secondary Secondary IPv6
1 bsd.my benkyo.mybsd.org.my
2001:328:2002:ace::1000 ns1.everydns.net ‐
2 cybershop.my ns1.my 2001:328:ff00:1:215:c5ff:fe60:74f8
ns2.my ‐
3 erion.m y n1.erion.my 2001:470:1f08:61d::2 n2.erion.my 2001:960:2:585::2
4 hack.my benkyo.mybsd.org.my
2001:328:2002:ace::1000 ns2.afraid.org ‐
5 infoweapons.my atlcolodns1.infoweapons.com
2001:418:5403::2 atlcolodns2.infoweapons.com
2001:418:5403::3
6 jaring.my dns2.jaring.my 2001:328:200:ab::100 ns7.jaring.my ‐
7 ns1.my ns1.my 2001:328:ff00:1:215:c5ff:fe60:74f8
ns2.my ‐
8 ntt.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24
9 void.my benkyo.mybsd.org.my
2001:328:2002:ace::1000 ns2.afraid.org ‐
Category: .my (9)
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 2525
.my IPv6 Enabled Domain Names (cont)
Domain Name Primary Primary IPv6 Secondary Secondary IPv6
.net.my
1 arcnet6.net.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24
2 infoweapons.net.my atlcolodns1.infoweapons.com
2001:418:5403::2 atlcolodns2.infoweapons.com
2001:418:5403::3
3 myren.net.my ns1.myren.net.my 2404:a8:400:2000::53
ns2.myren.net.my
‐
.org.my
1 myren.org.my ns1.myren.net.my 2404:a8:400:2000::53
ns2.myren.net.my
‐
2 neohumanist.org.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24
Category: .net.my (3) and .org.my (2)
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 2626
.my IPv6 Enabled Domain Names (cont)
Domain Name Primary Primary IPv6 Secondary Secondary IPv6
1 arcnet6.com.my ns1.arc.net.my 2001:c18::25 ns2.arc.net.my 2001:c18::24
2 infoweapons.com.my atlcolodns1.infoweapons.com
2001:418:5403::2 atlcolodns2.infoweapons.com
2001:418:5403::3
3 myren.com.my ns1.myren.net.my 2404:a8:400:2000::53
ns2.myren.net.my ‐
Category: .com.my (3)
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
The Way Forward Keep up‐to‐date on IPv6 activities around the world
Attend and join IPv6 related eventsJoining IPv6 Working group ( MSTFB, AP‐IPv6 Task Force ) ‐ encourage registration of domain with IPv6 Name servers
Integrate IPv6 with other .my DOMAIN REGISTRY projects (DNSSEC, myANYCAST, ENUM, Webserver, mail and whois servers).MY Domain Registry is seriously put an effort on awareness program for public to increase the number of domain with IPv6
Conduct series of IPv6 technology workshops / seminars / training
27
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All 28
Conclusion
28
• This project took about 3 years to get into production and at this time we are focusing on IPv6 at our secondary
• Testing Firewalls for IPv6 and EDNS0 Support(http://www.icann.org/en/committees/security/sac016.htm)
• Good practice for migration is to start with dual stack approach
© MYNIC Berhad 2009 Strictly Private & ConfidentialInternet Identity for All
Thank You!
[email protected]://rnd.domainregistry.my
29