Speaker
Description
DNSSEC at scale: Enabling signing across 5,500 domains in the real world
Enabling DNSSEC for a single domain is straightforward: sign the zone, submit the DS record to your registrar, verify the chain of trust. Now do it 5,500 times, across hundreds of TLDs, multiple registrars, and every corner of the global domain registry ecosystem.
This talk is a war story from an ongoing project to enable DNSSEC across the entire internet DNS portfolio of a major automotive company. What looked like a routine security improvement turned into a deep dive through the messy reality of the domain industry — where APIs don't exist, registrars refuse manual work, intermediary chains span three organizations and two continents, and a single ambiguous form field can take a production domain offline.
Topics covered
Getting internal buy in
Registrars who offer API coverage only partially
How you suddenly might come across a chain of intermediaries not expected
Time zone considerations when changing DS records
Education gaps about DNSSEC even at registrars
Slight confusions can take down production domains
Registries suddenly demanding more information or updated handles
Unexpected costs for domain updates which scale quickly for 5000+ domains
(Certain features of DNS providers might make DNSSEC signing of zones impossible -> linked zones at NS1) (this is a point I'm debating if I want to keep it in, as it feels very internal)
TLDs where DNSSEC is simply impossible
TTLs in TLDs you don't control and can make rollbacks messy and long
The operational strategy we chose for enabling this
Summary
A talk about the pitfalls of deploying DNSSEC across 5500 domains over a diverse set of TLDs.
| Talk duration | 20 Minutes (+5 for Q&A) |
|---|---|
| Other conferences? | None |
