[Dnssec-deployment] dnssec deployment for ccTLD
regnauld at nsrc.org
Tue May 8 06:09:08 EDT 2012
shidiq (shidiq) writes:
> Hi All,
> where i can get information (step by step, requirements etc) from
> deployment dnssec for ccTLD.
Would you have more details about what you're trying to achieve ? There
are a few aspects to consider.
Signing the zone for a ccTLD is no different technically from
signing any other top-level zone, or any DNS zone for that matter.
It will differ mainly in the type of data you are signing: top level
and ccTLD zones typically contain many NS records (so called delegation
centric zones) and very little "data" to speak off (A, CNAME, MX, ...).
Also, as a ccTLD or top level zone, delegation holders must be able
to submit Delegation Signer records (hashes of their public key signing
keys) for inclusion into the zone.
There are several good guides out there to getting started with DNSSEC:
... and (plug!) you may want to check out the recent DNS/DNSSEC deployment
workshop we (NSRC) ran at MENOG 10 in Dubai last month.
This includes guides for signing with both BIND and OpenDNSSEC, and
some rather useful presentations by Rick Lamb from ICANN on key
management and ceremonies.
Also, the FCC has recently published a DNSSEC deployment guide for
Requirements vary, but it also depends on what your policy is. You may
want to start looking at what other countries such as .NZ have been doing
Don't hesitate to write back here, as I'm sure the awesome folks on this list
can help you with your questions!
Network Startup Resource Center
More information about the Dnssec-deployment