DNSSEC is a mechanism to protect the integrity of DNS records and protect end-users against DNS cache poisoning attacks. However, operating a DNSSEC signing infrastructure requires a lot of investment and effort for the maintenance and to ensure the security of the signing service. There is also a need to maintain a proper key management life-cycle. This project is about operating a DNSSEC signing service for external parties (any network operator).
We envisage it to be a container-based infrastructure, where a new container is spun every time a new operator enrols into this service. Each signer will have their isolated environment for e.g. running on a Docker and keys will be stored in a soft-HSM. There will be a web portal allowing the users to activate their service and get the configuration to setup zone transfers for signing between master and slave servers.
Keywords: DNSSEC, Docker, SoftHSM, web development, security
Number of Students/Interns required
Duration
1
6-8 months
Key deliverables
Skills required
A container-based system for activating a DNSSEC engine for AFRINIC members
Key management strategy within the Docker ecosystem
Web interface to manage and monitor ecosystem
Bash scripting
Good understanding of the DNS and DNSSEC infrastructure
Good working knowledge of Docker, Kubernetes, etc
Web development (Python/Django, PHP, Angular.js, etc)