Advanced ccTLD Workshop Assessment and Planning Guide
submitted By : Eswari Pd. Sharma ( .np registry)
This assessment form is to help us determine what topics and direction to taken when we finalize a course outline for upcoming ccTLD workshops. We wish to customize the workshop topics to areas that will be useful to you. The more information you can give us in this assessment document, the better we will be able to do this.
1. SELF-ASSESSMENT
1a. Describe a major challenge that you have faced over the last months or years in operating and developing the registry operation.
Please include:
* The policy and the technical aspects of the challenge. * Interested parties who were involved in the process. * Solutions, if any, you have deployed to solve the challenge(s). * Tools or training that were included in your planning process.
Ans:
For the past 3 years , I have been involved in Registry management system, reforming of policy and provided prompt service to the registrant. We are planning to introduce 2nd level domain within this year.. We are planning to implement IDN in near future after partial success of the 2nd level domain . The challenges I have faced during the last 2 years as follows :
(a) Reforming .np policy and support service :
As the registration of domain is free, the domain registrant comes in hundreds daily and its just registering and occupying the space. For this we are going to reform our policy soon to validate more for the local presence with phone no and email address and also verifies the domain names compliance with the names of company/ trademark or personal name and also respective of second level domain name.
After fully automation of domain name system, we are going to plan the introduction of expiry system initially for one year. If the domain expires, the registrant needs to again go with registration and documentation process.
We have added few supportive staff, provided training for the prompt and value added service. The enquiry through email and phone are handling by them and also could handle the technical queries by the registrant in near future.
(b) Abuse of domain name :
(i) The registrant has been abused by placing the content of Microsoft. Though we are not the regulatory body to check the content management system, we got complaint from Microsoft as we are authority for .np domain regarding gopal.com.np for keeping the valuable information . We verify the content and found the copyrighted information on the web site . We have taken action by suspending this domain and convey the message to the registrant.
(ii) Like wise, we got a complaint from local community that virus has been through usb drive by the name sujin.com.np. We had enquired the case with the legal body and registrant has accepted the mistake that he has made a virus to learn but later it was spread through pen drive without having any intention to do so. We have made antivirus for this virus and kept in our download website ( http://download.mos.com.np) . we found this domain has been done harm to the local community and we finally removed this domain from authoritative servers.
1b. Describe the projects on which you are currently working to solve or deploy, and their importance (ranking).
Please include:
* Interested parties involved in the process. * Plans for new hardware or software. * Additional skills or training that would support your project.
I have been involved in system related projects:
(1) Event generating through SMS :
This project is initiated for the alert message to the system administrator when server gets down in our communication department. The administrator used to get the message on mobile and if it continues, the message is send to the other on priority basis. This is more useful and effective these days with the implementation of this project.
(2) Automation of Registry system:
The software is being developed by using JAVA and mysql on linux platform . The front end part is being developed by using php and cgi script. This has different modules as registrant module, registrar module, support module, admin module and super administrator module. Now we are working on 2 and one staff is needed for designing of the front end application and later we need data operators who can verify the documents and upload in new system.
(3) keeping track of mail to hostmaster and support :
The mail comes to the hostmaster@mos.com.np and support@mos.com.np are not responded properly. For this we are coming up with event tracking system which will automatically generate the case and assign to the concerned staff . If the concerned staff did not respond, this will notify to the higher authority for the same. The case is closed with the action plan. This is still under construction and it will be up very soon.
(4) upgradation of DNS servers with monitoring and event tools :
The dns server is being upgraded with the latest bind version and monitoring with the mrtg/nagios and DSC tools. The script has been written to the dns server to track the DDOS attack and this is like a agent running on a server, it run twice a day and it manages the blacklisted ips and block the suspected ips through iptables.
To check whether axfr is taking place or not is being run by the script daily and the result is send to the .np Administrator.
1c. Describe the major areas where you plan to spend resources (time, money) in the next two years and how important they are to your registry.
Please include:
* A timeline (within 6 months, within 2 years, ..). * Additional requirements (staff, tools, software, etc.). * How did these topics make your list. (scaling issue, customer demand, value add service etc.) * Probability of actual deployment. (not very likely, rather likely, very likely, unavoidable).
(i) Implementation of IPV6 on root server : (a) Duration : within 2 years (b) Requirements : staff , hardware and in process of getting IPV6 from APNIC (c) In my list : for the transition from IPV4 to IPV6 in near future (d) Deployment : rather likely
(ii) Keeping one of Root server in Nepal : (a) Duration : within 1 year (b) Requirement : hardware, sufficient bandwidth, physical infrastructure (c) In my list : value added service and providing service to the internet world (d) Deployment : rather likely
(iii) Adding another anycast for .np domain (a) Duration : within 1 years (b) Requirements : nothing , correspond to the concern and providing access in main authoritative server. (c) In my list : scaling issue (d) Deployment : very likely
(iv) Implementation of DNSSEC for security and stability : (a) Duration : within 1 year (b) Requirement : hardware, sufficient bandwidth, physical infrastructure (c) In my list : for making security and stability of the DNS system (d) Deployment : very likely
(v) Implementation of IDN for .np (a) Duration : within 1 year (b) Requirement : people for development of scripts and process (c) In my list : this is required as many countries had already implemented and we are coming up with script in association with the open source localization team madan puraskar pustakalaya and fossnepal . (d) Deployment : very likely
(vi) Full Automation of registry-registrar system for .np (a) Duration : within 3 months (b) Requirement : people for development of scripts and process (c) In my list : easy for the domain registration , modification and management of .np domain. (d) Deployment : very soon (e) Note : At present we have semi automation system for the validation , tracking, searching whois information of the registrant. We are going to implement the registryñ registrar system with user privileged function and keeping the documents fully online , implementing different layer for the registration process and finally writing the data in root server with proper validation .
2. GENERAL TECHNICAL QUESTIONS
These questions are for the individual or individual from your organization who will be attending. Please be sure to answer questions about knowledge of specific items as they pertain to yourself. Please check all boxes that apply to you.
2a. How would you rate yourself in terms of Linux or Unix use?
[__] Never used either
[__] Beginner: Just getting started. Have worked at the command line some.
[__] Intermediate: I've installed Linux or Unix, edited files, installed software, stopped and started services.
[x] Advanced: I use it regularly. Editing files, installing software, configuring services and troubleshooting problems.
2b. What is your experience using DNS?
[__] I understand how DNS works and use tools like dig to query the DNS.
[__] I've installed BIND/NSD/Other, configured zones, etc.
[x] I know about or am interested in DNSSEC, TSIG, DNS with IPv6, etc.
[__] I do all of the above.
[x] Other, please describe: dns monitoring and sniffing tools ____
2c. Security
[x] I'm responsible for securing network servers and services at my location.
[__] I'm responsible for securing the network at my location.
[__] I use cryptographic security with services such as ssh, ssl, pgp, dnssec, digital certificates, etc.
[__] I do not need to deal with security issues in my position.
[] Other, please describe: ___________________________________
2d. Network Monitoring
[x] I've installed, configured and use network monitoring software such as Nagios, mrtg, Smokeping, snmp, etc.
[__] Our organization uses network monitoring software which I take advantage of, but do not maintain.
[__] I have not used or installed network monitoring software.
[__] Other, please describe:
2e. Tools
Which Operating System are you running on your servers?
Red hat AS 4 , FreeBSD , Mandriva
Which Operating System are you running on your Desktop/Laptop? Windows
What is your favorite text editor? Vi
List your top 5 most used command line tools: Df -h , ifconfig, top, kill , tail ñf /var/log/secure & tail ñf /var/log/message
List your top five most used applications or programming tools:
(i) webalizer for webanalysis of squid server (ii) mrtg & nagios for monitoring (iii) dsc for dns server (iv) webmin for administration of servers (v) removing openssh and implementing secure ssh
3. TOPICS FOR HANDS ON TRAINING:
Looking at your current needs and plans, list five topic areas where you would like additional training for your technical staff.
Possible topics include:
* Backup/Rsync Practical * Building out Your Registry * Cryptographic Methods * Databases * DNSSEC ( for training ) * DSC * Logging * MRTG/RRDTool ( for training) * Nagios w/Examples * Network Monitoring/Management * Operating System Basics * PGP * Registry Tools * Revision Control in Practice * Scripting & Automation ( for training) * Security ( for training) * Service Level Agreements (SLAs) * Single to Multiple Registry to Registrar Model (EPP) * SmokePing * SNMP * SSL/Digital Certificates * Ticket Systems/Helpdesk (RT/Trac)
4. ANYTHING ELSE?
If there is anything else you wish to tell us about your experience or expectations for this workshop please do so below.
I would recommend to emphasize more on this :
(a) DNS security & Monitoring :
Due to vulnerability and threats in DNS system, the advance training should be more focus on security , DDOS attacks and monitoring of DNS system.
How to establish robust, stable and secure DNS system. As prevention is better than cure, how to protect the data and process that occur on these machines? DNS monitoring tools , sniffing tools for DDOS attacks and port vulnerability tools to check the healthy of DNS system will be more interesting.
(b) Attack Mitigation Planning :
establishing responses and actions that can be rapidly deployed in the event of an identified attack. This can also include steps to ensure rapid recovery and continuance of service.
(c) Registry automation with EPP :
For the ccTLD operators , automation of registry system surely ease the work and process. So implementation of open source s/w like openreg, fred , coca etc. .. pros and cons of these OSS.
(d) Implementation of IPV6 on root server :
Slowly, IPV6 is grooming up and if we get training guideline on this how we could plan and implement at our end.
(e) DNSSEC and its implementation:
The threat to DNS system is day by date increasing with fast flux, cache poisoning, spoofing etc. Though its complicated, this is the time to implement DNSSEC , so looking for more .
(f) Domain tasting, fast flux, cache poisoning etc .
These topics also really interesting and we cant set aside..