[Dnssec-deployment] dnssec deployment for ccTLD

[Phil Regnauld]

shidiq (shidiq) writes:
> Hi All,
> 
> where i can get information (step by step, requirements etc) from
> deployment dnssec for ccTLD.

Hello Shidiq,

Would you have more details about what you're trying to achieve ? There
are a few aspects to consider.

Signing the zone for a ccTLD is no different technically from
signing any other top-level zone, or any DNS zone for that matter.

It will differ mainly in the type of data you are signing: top level
and ccTLD zones typically contain many NS records (so called delegation
centric zones) and very little "data" to speak off (A, CNAME, MX, ...).

Also, as a ccTLD or top level zone, delegation holders must be able
to submit Delegation Signer records (hashes of their public key signing
keys) for inclusion into the zone.

There are several good guides out there to getting started with DNSSEC:

https://www.dnssec-deployment.org/index.php/presentations-events-and-newsletters/deployment-guidlines/

... and (plug!) you may want to check out the recent DNS/DNSSEC deployment
workshop we (NSRC) ran at MENOG 10 in Dubai last month.

https://nsrc.org/workshops/2012/menog-dns-dnssec/wiki
https://nsrc.org/workshops/2012/menog-dns-dnssec/wiki/Agenda

This includes guides for signing with both BIND and OpenDNSSEC, and
some rather useful presentations by Rick Lamb from ICANN on key
management and ceremonies.

Also, the FCC has recently published a DNSSEC deployment guide for
ISPs:

http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG5-Final-Report.pdf

Requirements vary, but it also depends on what your policy is. You may
want to start looking at what other countries such as .NZ have been doing
there:

http://nzrs.net.nz/dns/dnssec/dps

http://dnc.org.nz/story/consultation-dnssec-implementation

Don't hesitate to write back here, as I'm sure the awesome folks on this list 
can help you with your questions!

Cheers,
Phil Regnauld
Network Startup Resource Center