Alexander Venedioukhin, researcher from Technical Center of Internet (TCI) shares current DNSSEC status in Russian ccTLDs, history of deployment and registry/registrars operations on DNSSEC.
5. DNSSEC
Crypto procedures
operator, officer and observer roles
restricted access, air-gapped systems (for KSK)
KSK - in HSM
ZSK - in protected zone-signing machine (internal network)
Challenges of routine operations
Expired domain with DS
- need to redelegate in grace period
- how?
6. DNSSEC
DNSSEC is NOT so popular.
Yet
Stats: https://statdom.ru/
5.4 million names .RU and only about 1000 DS records
nanoscale deployment
7. DNSSEC
Compare to TLS (.RU):
in September 2017 - 395462 TLS-nodes (HTTPS)
Still about 10% of live web nodes
Stats: https://statdom.ru/
8. DNSSEC
Compare to DNS (.RU):
in September 2017 - about 70000 name servers
Number of zones with DS records
-- approximately 1.4% of NS count
(Not much meaning)
Stats: https://statdom.ru/
9. DNSSEC
DS record present
but DNSSEC is not
Cases:
replaced name servers;
changed administrator;
etc, you name it.
Expired RRSIGs
10. DNSSEC
Why?
1. Users/admins - no reason to implement
DNSSEC (no validation at client side);
2. Registrars do not support “automatic”
DNSSEC;
3. Lack of APIs provided by registrars.
11. DNSSEC
What we do?
Registry has full support for DS in EPP
(including ECDSA 13/14);
Requires valid DNSKEY for DS, and checks it.
And we try to educate end users
12. DNSSEC in .RU
Thank you!
Questions?
Alexander Venedioukhin
TCI
http://tcinet.ru/