ION Cape Town, 8 September 2015 - Mark Elkins will explore one organization’s technical solution for deploying DNSSEC support within its country code Top Level Domain (ccTLD). With a goal of making it easier for domain name holders to easily add DNSSEC, we will take a quick look at the DNSSEC implementation strategy, the status/progress of signed domains, and lessons learned and challenges for increasing the percentage of signed domain names.

1. Deploying DNSSEC: A Case Study
Mark Elkins
September 2015

2. Posix and Customers
Who we are
Registered in 1992, but active from 1996.
A small Internet Service Provider.
Customers are a mixture of end users and content providers.
End users are now mostly connected to Telkom so use
Telkom ADSL and Bandwidth.
Content providers use virtual hosting (Many people on one
machine).
Machine hosting and Rack hosting

3. Posix and Customers
Hosting is at our Data Centre – Midrand (Jhb)
100m2
raised floor space
17 cabinets – room for 40
A Cabinet contains 8 machines
One machine contains 1500 domains / 150 Websites
Registration Only (Pure Registrar, DNSSEC Aware)
DNS Hosting
Parked Domains (Trademark protection)
Personal domain with Mail Services
Web Redirection
Various Web Packages

4. A Posix History of DNSSEC
2006
Attended the ZACR Advanced DNS course
Within a month had TSIG implemented
2007
Became DNS course instructor
(Started running IPv6)
2008/9
Implemented DNSSEC

5. General DNSSEC Principles
Already using BIND
BIND responsible for signing via Scripts
KSK – 2048 bits / 1 year (370 days)
ZSK – 1024 bits / 1 month (34 days)
Keys overlap by 50% (eg New KSK every 6 months)
NSEC (only option for small zones) or NSEC3
Use DLV (.isc.org) as “root” was not then signed.
Started with Algorithm 5 (NSEC3RSASHA1)
Did Algorithm 8 rollover in 2010!

6. Our two systems (Web/Non-Web)
Vweb Discrete Zones
(Web System) (Shell Script)
Settings: Settings:
Web → DB → Filesystem Filesystem only
/home/vweb/example.co.za/ /etc/bind/pri/example.co.za/
db.example.co.za db.example.co.za
named.inc dnssec-example.co.za
Key-material md5sum-example.co.za
soa-example.co.za
Key-material

7. Our two systems (Web/Non-Web)
Simple Activation
Vweb
(Web System)
Discrete Zones
(Shell Script available at “posixafrica.com”)
Edit the file “dnssec-example.co.za” to contain one of :
None
NSEC
NSEC3

8. DNSSEC Status @ Posix
Three entities use DNSSEC (Ourselves and two others)
The two (former Advanced DNS Students) use Registration only
Use EPP to modify DS (via DNSKEY) Records in COZA
Use Other Web interfaces for Reverse DNS (AFRINIC) and
for a selection of DLV entities.
All Posix gTLD domains (e.g. posix.systems) are signed
Stats: 90 Domains (43 NSEC, 47 NSEC3 / 50 COZA, 40 Other)
Only two “City” domains are signed – One by Posix

9. DANE / TLSA @ Posix
To generate keys by hand:
Either:
openssl s_client -connect www.example.co.za:443
Or:
cat /home/www/example.co.za/ssl/cert.crt
Followed by:
| openssl x509 -outform DER | openssl sha256 (301/web)
Or:
| openssl x509 -noout -pubkey |
openssl pkey -pubin -outform DER | openssl sha256 (311/mail)
For websites with SSL Certificates
If DNS is locally hosted – Option to add/update the TLSA
Records for Web and Mail

10. DNSSEC Validator
By adding the “DNSSEC Validator” plug-in into the
browser we can see full DNSSEC & TLSA Validation
(Yes, we run IPv6)

11. DNSSEC – concluding thoughts
TO DO: Upgrade exim to support TLSA records for secure MTA
to MTA Connections.
Lean on people to sign ZA & ZA SLD's
HSM's: Hardware is expensive, nothing wrong with SoftHSM
Software: OpenDNSSEC – but fiddly to run on Authoritative server
Resolver: All Recursive resolvers are DNSSEC aware
(Authoritative and Recursive server should be separate)
Lock-in: Customers may hesitate moving to non-DNSSEC
providers
Future: Simply switch on DNSSEC for everyone?
Success: Zero Failures since switch-on
(including protocol rollover)

12. Questions?
Mark Elkins
mje@posix.co.za
mark@posix.systems