Your IP address is 44.212.96.86
initiatives_bnr

AFRINIC DNSSEC Service

Deployment Plan

Once the testing phase is completed, AFRINIC will integrate the Signer into the provisioning system in 3 phases. In this phase, the provisioning system continues to work as it is. When new zones are generated, copies of the distributed unsigned zones are passed to the signer to produce a signed zone.

 

Deployment Test Phases

  • Install the tools (Opendnssec, NSD, BIND, DSC, etc.)
  • Generate keys for the zones - KSK RSA 2048 / ZSK RSA 1024
  • Get Unsigned zone into OpenDNSSEC and sign
  • Publish the signed zones under the local DNS servers
  • Query and analyse response sizes over UDP and TCP
  • Validation using keys as trusted keys
  • Test Keys rollover: ZSK and KSK
  • Scheduled key rollovers and emergency key rollover
  • Conclusions and lessons learnt

 

Phase 1Published Unsigned Zones

The signed zone is checked and loaded on a public DNS server. All tests are conducted around the public DNS server. AFRINIC will evaluate here the operation of the signer and the updated provisioning system. 

  • The new provisioning system: consistent signed zones generation
  • Consistency check for zones content: non DNSSEC queries on both (unsigned and signed)
  • DNSSEC queries to the signed zones
  • Conclusions and lessons learnt

 

 

Phase 2

Publish Signed Zones

With a successful previous stage, the next step will be to start publishing signed zones instead of unsigned zones. In this phase, the Reverse DNS provisioning system will start publishing signed zones with adequate notification and a rollback plan. Only zones produced by the signer are distributed to the NS servers.

Test

  • Zones transfer master/slaves consistency
  • Non dnssec queries on all NS
  • DNSsec queries on all NS
  • Conclusions and lessons learnt

Rollback Plan

Rollback from the phase where AfriNIC is publishing signed zones without DS in parent zones is as follows:

  1. A maintenance window for the rollback is open.
  2. Notice of the impending maintenance, with a technical description of the change, will be sent to the community.
  3. During the maintenance window, AfriNIC will begin to serve an unsigned zones, stripped of all DNSSEC information. SOA serial increases in order to trigger the distribution of the unsigned zone.
  4. A detailed technical report of the circumstances leading to the rollback, and the execution of the rollback itself are sent to the community.

 

Phase 3

DS publication in parent zones

With the publishing of signed zones completed, AFRINIC RDNS zones are not yet DNSSEC secured. DS records of KSKs have to be published in the parent zones. DS records will be generated and sent to IANA through their RDNS management system. 

The provisioning will be configured to process DS records for sub-domains. The signer and the zones publication are not modified. With a full DNSSEC system tested and launched with measures in place to operate as per the DPS, the project will move to the normal AFRINIC operations. Monitoring and performance measurement will be constant activities.

Tests

  • Query for the DS record on all ip6.arpa and in-addr.arpa servers
  • DNSSEC validation of signed RRs in AFRINIC signed zones with root key as trusted key
  • Conclusions and lessons learnt

Rollback Plan

Rollback from the phase where AfriNIC is publishing signed zones with DS in parent zones is as follows:

  1. A maintenance window for the rollback is open.
  2. Notice of the circumstances and the remedial action intended, with technical detail, will be sent to the community.
  3. AfriNIC will execute an emergency KSK rollover to remove the DS records from parent zones.
  4. Public communication with the community will continue, with the goal of ensuring that news of the situation and the actions being taken are communicated to as wide a public audience as possible.
  5. Following the appropriate publication delay, as specified by the DPS, AfriNIC will execute a transition to an unsigned zones as described in the phase where AfriNIC is publishing signed zones without DS in parent zones.

 

 

Members DS records publication

Tests

  • DS processing and DS RRs signing
  • Chain of trust validation from root to child zone (with DS records published)
  • Conclusions and lessons learnt

 

(Page 2 of 6)

Profile Information

Application afterLoad: 0.001 seconds, 0.71 MB
Application afterInitialise: 0.058 seconds, 2.70 MB
Application afterRoute: 0.097 seconds, 5.96 MB
Application afterDispatch: 0.154 seconds, 7.61 MB
Application afterRender: 0.340 seconds, 10.34 MB

Memory Usage

10886968

9 queries logged

  1. SELECT m.*, c.`option` AS component
      FROM www3menu AS m
      LEFT JOIN www3components AS c
      ON m.componentid = c.id
      WHERE m.published = 1
      ORDER BY m.sublevel, m.parent, m.ordering
  2. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(1,11,20,304,324,262,231,275,340,393,791,661,12,51,348,805,831,13,52,154,795,14,24,53,793,15,797,16,62,803,17,799,68,97,27,387,619,191,221,172,170,76,171,337,418,521,845,175,174,177,237,176,499,511,455,481,523,547,671,184,185,188,423,837,527,179,181,204,235,156,158,159,384,475,675,629,160,161,162,157,192,621,268,270,266,321,264,265,338,416,483,519,843,276,283,278,282,477,677,279,631,280,281,429,277,382,305,306,307,308,424,835,317,330,318,319,320,325,326,327,328,529,341,342,343,345,350,349,408,351,354,745,489,509,356,479,525,549,673,388,400,403,404,405,406,419,513,399,394,396,397,395,617,615,663,665,801,414,163,731,733,735,737,715,739,741,789,743,269,271,272,292,289,290,291,293,294,339,295,420,386,807,811,285,286,288,819,383,287,515,567,809,817,415,284,633,763,315,312,561,563,565,767,314,380,517,332,333,334,335,336,370,346,347,311,378,787,352,364,362,365,833,719,366,367,368,411,412,453,825,379,357,358,359,360,361,371,431,459,463,467,469,471,473,531,533,537,539,541,543,545,599,609,601,605,485,487,491,493,495,497,551,553,557,559,841,573,575,577,579,581,583,585,591,589,777,779,813,749,751,753,755,747,757,759,761,783,373,374,375,376,721,417,829,669,353,413,461,535,781,727,667,611,597,603,815,769,635,637,639,641,645,643,647,649,651,653,655,657,659,785,821,823,827,697,701,703,705,707,709,711)
       
      AND jf_content.reference_table='menu'
  3. SELECT *
      FROM www3rokcandy
      WHERE published=1
  4. SELECT template
      FROM www3templates_menu
      WHERE client_id = 0
      AND (menuid = 0 OR menuid = 97)
      ORDER BY menuid DESC
      LIMIT 0, 1
  5. SELECT a.*, u.name AS author, u.usertype, cc.title AS category, s.title AS SECTION, CASE WHEN CHAR_LENGTH(a.alias) THEN CONCAT_WS(":", a.id, a.alias) ELSE a.id END AS slug, CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(":", cc.id, cc.alias) ELSE cc.id END AS catslug, g.name AS groups, s.published AS sec_pub, cc.published AS cat_pub, s.access AS sec_access, cc.access AS cat_access  
      FROM www3content AS a
      LEFT JOIN www3categories AS cc
      ON cc.id = a.catid
      LEFT JOIN www3sections AS s
      ON s.id = cc.SECTION
      AND s.scope = "content"
      LEFT JOIN www3users AS u
      ON u.id = a.created_by
      LEFT JOIN www3groups AS g
      ON a.access = g.id
      WHERE a.id = 689
      AND (  ( a.created_by = 0 )    OR  ( a.state = 1
      AND ( a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2023-12-08 13:56:44' )
      AND ( a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2023-12-08 13:56:44' )   )    OR  ( a.state = -1 )  )
  6. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(689)
       
      AND jf_content.reference_table='content'
  7. SELECT *
      FROM www3jcomments_settings

      WHERE lang = 'en-GB'
  8. SELECT id, title, module, POSITION, content, showtitle, control, params
      FROM www3modules AS m
      LEFT JOIN www3modules_menu AS mm
      ON mm.moduleid = m.id
      WHERE m.published = 1
      AND m.access <= 0
      AND m.client_id = 0
      AND ( mm.menuid = 97 OR mm.menuid = 0 )
      ORDER BY POSITION, ordering
  9. SELECT jf_content.reference_field, jf_content.VALUE, jf_content.reference_id, jf_content.original_value

      FROM www3jf_content AS jf_content

      WHERE jf_content.language_id=1
           
      AND jf_content.published=1
       
      AND jf_content.reference_id IN(79,137,138,330,35,326,331,131,347,345,329,237,243,292,335)
       
      AND jf_content.reference_table='modules'

Language Files Loaded

Untranslated Strings Diagnostic

None

Untranslated Strings Designer

None