Technical details
The DNSSEC Trial México project has two main objectives:
- Educate and spread DNSSEC technology.
- Create a platform that allows a future DNSSEC deployment in .mx.
The educational objective has been achieved with the realization of workshops about DNSSEC.
Two workshops were held in Mexico City in the first semester of 2006. Telco companies, universities and private business attended the workshops.
The first workshop had place the 8th and 9th of March of 2006. Persons from the following business attend this workshop:
- UNAM
- Administradora LUX
- EDS
- BESTEL
- Universidad La Salle
- ANUIES
- Telcel
The second workshop had place with RedUno/Telmex participants.
During the second semester of 2006 a workshop in Monterrey will be made.
NIC México is developing a DNSSEC technology platform that consists of three main components:
Key administration system:
The key administration system is a tool that allows KSK and ZSK management. Keys are created in a server using hardware for random number generation. The private part of the KSK is stored in a smart card and the keyset signing is done in the smart card.
The key administration server is not connected to the net and it is stored on a safe place. Keys and RRSIG RRs are transferred from the key administration server to the signing server with an USB memory card.
Provisioning system:
The provisioning system allows the user to register test.mx domains and to administer the public part of KSKs in order to generate DS RRs.
Signing system:
The signing system is the backend of the project and it was built with two servers interconnected by a serial cable. One server (the signing server) is totally isolated from the network and its function is to generate NSEC, RRSIG and DS RRs. The signing server has the private part of the ZSKs used in the zone and the RRSIGs of the keyset by the KSK. The second server (the transfer server) communicates directly with the provisioning RDBMS and when a zone change is detected it communicates with the signing server sending the RR changes (A and NS RRs) and receiving the required RRSIG, NSEC and DS RRs. When the RRSIG, NSEC and DS RRs are received in the transfer server, it recreates the zone and the changes are then sent via AXFR or IXFR to the test.mx authoritative servers.
The signing server can initiate a ZSK rollover if ZSKs and KSK keyset RRSIGs have been previously stored. The pre publish schema is used for the ZSK rollover.
This system was developed from scratch.
Status of this system:
| Component | Status | Estimated release date |
| Serial port communications | Released | First semester 2006 |
| RRSIG, NSEC and DS RR creation in the signing server | Released | First Semester 2006 |
| Complete zone signing of data obtained from the RDBMS | Released | First Semester 2006 |
| Signing of RDBMS changes | Being developed (20% advance) | Second semester 2006 |
| USB port communications | Being developed (70% advance) | Second semester 2006 |
| Automation of ZSK rollover | Being developed (80% advance) | Second semester 2006 |
| IXFR support | Being developed (10% avance) | Second semester 2006 |
Infraestructura de DNSSEC Trial México:
Last update: May 2006