Alexander Venedioukhin, researcher from Technical Center of Internet (TCI) shares current DNSSEC status in Russian ccTLDs, history of deployment and registry/registrars operations on DNSSEC.

1. DNSSEC
in
.RU
Alexander Venedioukhin
Technical Center of the Internet
tcinet.ru

2. DNSSEC
TCI
- registries' backbone services.
Runs DNS and domain registration services
of
.RU, .РФ, .SU, .ДЕТИ, .TATAR

3. DNSSEC
DNSSEC started in .SU (2011)
(first production zone - 23.11.2011)
Main zone - .RU - signed in 2012,
and .РФ - same year.

4. DNSSEC
Signed with RSA
+
NSEC3
ZSK lifetime - 90 days
Standard approach:
.RU
DNSVIZ.NET

5. DNSSEC
Crypto procedures
operator, officer and observer roles
restricted access, air-gapped systems (for KSK)
KSK - in HSM
ZSK - in protected zone-signing machine (internal network)
Challenges of routine operations
Expired domain with DS
- need to redelegate in grace period
- how?

6. DNSSEC
DNSSEC is NOT so popular.
Yet
Stats: https://statdom.ru/
5.4 million names .RU and only about 1000 DS records
nanoscale deployment

7. DNSSEC
Compare to TLS (.RU):
in September 2017 - 395462 TLS-nodes (HTTPS)
Still about 10% of live web nodes
Stats: https://statdom.ru/

8. DNSSEC
Compare to DNS (.RU):
in September 2017 - about 70000 name servers
Number of zones with DS records
-- approximately 1.4% of NS count
(Not much meaning)
Stats: https://statdom.ru/

9. DNSSEC
DS record present
but DNSSEC is not
Cases:
replaced name servers;
changed administrator;
etc, you name it.
Expired RRSIGs

10. DNSSEC
Why?
1. Users/admins - no reason to implement
DNSSEC (no validation at client side);
2. Registrars do not support “automatic”
DNSSEC;
3. Lack of APIs provided by registrars.

11. DNSSEC
What we do?
Registry has full support for DS in EPP
(including ECDSA 13/14);
Requires valid DNSKEY for DS, and checks it.
And we try to educate end users

12. DNSSEC in .RU
Thank you!
Questions?
Alexander Venedioukhin
TCI
http://tcinet.ru/