Donate
In Khartoum, A DNSSEC Deployathon Thumbnail
‹ Back
Domain Name System Security Extensions (DNSSEC) 27 December 2018

In Khartoum, A DNSSEC Deployathon

At the Internet Society Sudan Chapter office, adjacent to the west bank of the Blue Nile, four men decided to set up a local server capable of DNSSEC verification. It was an unplanned deployathon: a hands on, practical session in which a solution or service is deployed in a real-world scenario. Deployathons can help build technical capacity or set up a new service, and in this case, the men hoped to increase knowledge of DNSSEC and to prepare the individuals managing Sudan’s top-level domain (.sd) for signing in the near future.

During the SdNOG5 conference, these four men – we the authors, along with Jan Zorz of the Internet Society and Sander Steffann – continued the discussion on the deep technical challenges of deploying DNSSEC, and how Jan and Sander’s presence in Sudan provided an opportunity to leverage their experience with DNSSEC. We also reflected on the importance of DNSSEC for the country code top-level domain (ccTLD) and its positive impact on the national and international levels.

Having enjoyed some delicious Sudanese coffee, the four of us started to install a new server based on Centos 7, a Linux based operating system, from scratch. On this server, a DNS service would be run using the free and open source software known as BIND. The goal was to configure BIND as an authoritative-only name server with the hostname “sd-ns1.go6lab.si” –  a delegation from the parent “go6lab.si.” The domain “go6lab.si” is configured and running on Jan’s Go6Lab based in his home town Škofja Loka in Slovenia, EU.

The Go6lab would also provide another sub-domain to be signed known as “sd.go6lab.si.” The goal was to sign the zone “sd.go6lab.si” on the Centos 7 server (now with the name “sd-ns1.go6lab.si”) and then do a query on the same server to see whether it was serving the DNSSEC information for the signed zone.

We started by generating the Zone Signing Key (ZSK) and Key Signing Key (KSK) for “sd.go6lab.si,” after an explanation from Sander and Jan on the importance and role of the two keys. We then generated our first DS Key (Delegation Signer Key) for our “sd.go6lab.si” domain and submitted that DS Key to the parent-domain authoritative server (in this case the authoritative name servers for go6lab.si). Everything worked like a charm –enough to draw very beautiful smiles on our faces.

It was a great pleasure to have our first DNSSEC validating server – one at the same level and same capabilities as other DNSSEC validation servers around the world. Because the server is hosted locally and we had full access to it, we will be able to study how everything works and use the same resource to train the community and to raise awareness of DNSSEC.

The efforts regarding the DNSSEC for our ccTLD were not planned, but it was a great opportunity to have a very close technical insight that took into consideration all details, including the potential risk during the keys rollover.

.SD is about to launch the registry system (CoCCA) in the coming days, after which we will be able to deploy DNSSEC. Meanwhile we have sufficient practical experience to sign Sudan’s top-level domain, .SD . The Internet Society’s Sudan Chapter is about to organize a number of DNSSEC workshops to all local stakeholders, partners, and community members.

We understand many still have the fear of deploying DNSSEC as we had. Nonetheless, the process was very easy and effortless, it took us four hours to do the whole deployment process, starting from the virtual machine preparation, operating system installation, BIND software installation and configuration, and DNSSEC deployment. We encourage those who haven’t yet deployed DNSSEC to take a brave step and do it, and we will also always be there if anything is needed for the deployment process.

In the end, had it not been for the enlightenment of Jan and Sander – and the great effort exerted by them on DNSSEC – this initial deployment wouldn’t have been possible.

Thank You @Jan
Thank You @Sander

Learn the DNSSEC basics!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Join the conversation with Internet Society members around the world