1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.

Slides:

Advertisements

Similar presentations

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Advertisements

DNS Alphabet Soup. IPv6 Increases packet size Both transport and question/answer sections Preference: goes first Fragmentation done by end points (ICMPv6!)

1 Storage Today Victor Hatridge – CIO Nashville Electric Service (615)

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Gabriela Contreras, Continental Airlines Yvan Hennecart, SDL

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

1 Introducing the next generation desktop application.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Translate tech terms into plain English. ?

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Cloud Computing Project By:Jessica, Fadiah, and Bill.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Continous Integration & Continous Deployment - For the new nameserver infrastructures of DENIC eG 15/10/03 – Christian Petrasch

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

OARC TAR Panel. La Brea Tar Pit What was originally intended to expedite the roll-out of DNSSEC seems to be bogging it down instead People who read press.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Automated File Server Disk Quota Management May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department Sandia is.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Best-in-class enterprise backup for the mobile enterprise Prepared for [Insert customer name] [Date}

 Remote monitoring and management (RMM), also known as network management or remote service software, is a built on application to help managed IT service.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.

1 FRED – open source registry system CZ.NIC, z.s.p.o. Jaromír Talíř

A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke

Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.

DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

SaudiNIC Riyadh, Saudi Arabia May 2017

Valibox: Bringing DNSSEC Validation to the Home

Agenda DNSSEC automation overview How to implement it in FRED

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Department of Computer Science

State of DNSSEC deployment ISOC Advisory Council

op5 Monitor - Scalable Monitoring

IT443 – Network Security Administration Instructor: Bo Sheng

Free Cloud Management Portal for Microsoft Azure Empowers Enterprise Users to Govern Their Cloud Spending and Optimize Cloud Usage and Planning MICROSOFT.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

CCNET Managed Services

DNS Cache Poisoning Attack

SmartHOTEL Solutions Powered by Microsoft Azure Provide Hoteliers with Comprehensive, One-Stop Automated Management of All Booking Channels MICROSOFT AZURE.

EasyMap Xplorer: See Your Business Data in a Map!

Microsoft Azure Platform Powers New Elements Constellation Software Suite to Deliver Invaluable Insights From Your Data for Marketing and Sales MICROSOFT.

Interlake Hybrid Cloud Management Suite

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

DNSSEC: An Update on Global Activities

PRIVILEGED ACCOUNT ABUSE

Offices: DC, London, Sydney

What DNSSEC Provides Cryptographic signatures in the DNS

Datacastle RED Delivers a Proven, Enterprise-Class Endpoint Data Protection Solution that Is Scalable to Millions of Devices on the Microsoft Azure Platform.

Getting Started.

MARMIND’s New Service Delivers a Single Centralized Marketing Plan That Connects Teams, Campaigns and Outcomes by Using the Power of the Azure Platform.

Smart Team Making a Beautiful software

Getting Started.

AIMS for BizTalk, Built on the Microsoft Azure Platform, Empowers Enterprises to Automate Insight and Analytics and Boost Value Creation MICROSOFT AZURE.

Geoff Huston APNIC Labs

DMAIC Roadmap DMAIC methodology is central to Six Sigma process improvement projects. Each phase provides a problem solving process where-by specific tools.

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

Agenda Need of Cloud Computing What is Cloud Computing

Fixing the Internet: Think Locally, Impact Globally

What is WFA? Scenario – FC Provisioning

The Curious Case of the Crippling DS record

Cloud Computing for Wireless Networks

Presentation transcript:

1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa. OpenPGP 1C1C 6311 EF09 D819 E029 65BE BFB6 C9CB

2 Relevant company history DNSSEC activities ● Late adopter: Not developing the protocol ● Starting with a DLV, resulting in a survey ● Deploying DLV to ISP core and own company ● Introducing a signed root (on IANA zone data) ● Deploying signed root to customers ● Large scale tests: bgp.arpa.

3 Productive DNSSEC deployment Requirements ● Stable software ● Fully automatic key management ● Skilled customer support ● Upper management commitment ● Enthusiastic tech guys to solve obscure problems ● No sales activities: no customer expectations

4 Usage scenarios Signing ● Admins complain about broken (old) tool chains ● Zone different in various views (RFC1918/NAT) ● Automatic resigning requires additional daemons, additional monitoring, and additional alarm plans ● Signing while zone is modified: broken zone ● DNS appliance without DNSSEC capabilities ➔ Remote signing tools using hidden primary

5 Usage scenarios Verifying resolvers ● Turing on verification is useless ● Maintaining distributed trust anchors is hard ● Central maintaining is easier: DLV/signed root ● DLV caused software problems (mostly solved) ● Signed root misses important TLDs ● Security aware companies maintain own TARs

6 Usage scenarios Benefits or ROI ● Storage of public keys: Use DNS as PKI for SSH (automatic), OpenPGP and X.509 (manual) ● Securing ENUM ● Banks fear legal consequences if not all possible protection is offered ● Spam avoidance: Securing DKIM etc. pp. ● DNS as distributed database: bgp.arpa

7 Open discussion Who is really using DNSSEC? ● For which purpose? ● Which area of impact? LAN, company, or global? ● Does it work automatically? Out of the box? ● Which trust anchor management is used? ● Does it open new problems? Privacy? ● How was is done before/without DNSSEC? ● Is DNSSEC a product or plain (and free) infrastructure?

8 Productive DNSSEC Questions? Signed answers.