DNSSEC Operations in .gov

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Review iClickers. Ch 1: The Importance of DNS Security.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

NSEC3 Status and Issues IETF March 2006 Geoffrey Sisson Ben Laurie Roy Arends.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

DNSSEC deployment in NZ Andy Linton

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

DNSSec.TLD is signed! What next? V.Dolmatov November 2011.

Rolling the Root Geoff Huston APNIC Labs March 2016.

Increasing the Zone Signing Key Size for the Root Zone

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

BIND 10 DNS Project Status + DNS Resolver Status/Plans Shane Kerr 23 January 2013.

Security and Stuff Geoff Huston APNIC. What I’m working on at the moment..

DNSSEC usage statistics and some observations SEE 5, Tirana Sergey Myasoedov

A longitudinal, End-to-End View of the DNSSEC Ecosystem

SaudiNIC Riyadh, Saudi Arabia May 2017

Agenda DNSSEC automation overview How to implement it in FRED

Lecture 20 DNS Sec Slides adapted from Olag Kampman

In collaboration with HKCERT and HKIRC July 2016

Dan Brown, Certicom Research November 10, 2004

State of DNSSEC deployment ISOC Advisory Council

BIND Part 2 pschiu.

DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.

DNS Cache Poisoning Attack

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

DNSSEC Iván González Montemayor A

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

R. Kevin Oberman ESnet February 5, 2009

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

.edu DNSSEC Testbed Lessons Learned

What DNSSEC Provides Cryptographic signatures in the DNS

Future DNSSEC Directions

Casey Deccio Sandia National Laboratories

Geoff Huston APNIC Labs

Measuring KSK Roll Readiness

DNS operator transfers with DNSSEC

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

ECDSA P-256 support in DNSSEC-validating Resolvers

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

DNSSEC Operations in .gov Scott Rose, NIST 27th DNS-OARC Workshop San Jose CA

Topics Covered Signing algorithm usage DS Hash algorithms in use Including algorithm rollovers DS Hash algorithms in use NSEC/NSEC3 Usage NSEC3 parameter choices and changes Question: Is DNSSEC being used properly in .gov? If not, what needs to be improved?

DNSSEC Deployment in .gov Holding steady at ~84% for federal, ~20% overall

Algorithms used in .gov 2015* 2016 2017 None 226 3919 2936 RSA/SHA-1 (5) 63 76 83 RSA/SHA-1 NSEC3 (7) 510 521 456 RSA/SHA-256 525 618 603 RSA/SHA-512 1 5 6 ECDSA P-256** Totals 1325 5140 4085 *Monitored list contained only federal .gov domains until 2016, when a larger list including state and local .gov delegations was published. **ECDSA with Curve P=256 was only recently allowed for upload to .gov registrar

Algorithm rollover 2015-2017 From->To 2015->2016 2016->2017 5 ➢ 7 3 1 5 ➢ 8 4 7 7 ➢ 5 9 5 ➢ 0 7 ➢ 10 7 ➢ 8 22 51 8 ➢ 5 2

DS RR Hashes Used Hash Algorithm Used Number of Zones Neither 23 SHA-1 only 114 SHA-256 only 93 Both 915 (June, 2017) Technically, SHA-1 is still allowed for use in DS RRs due to the fact that the security in the DS RR is in the RRSIG over the DS RRset, not the DS RR itself. The hash in the DS RR is there to identify the DNSKEY RR in the child delegation.

NSEC3 Parameters – Iterations Note: From RFC 5155 (Sec 10.4) the Iterations value SHOULD be below 500.

NSEC3 Parameters – Salt Length

NSEC3 Usage: Changes to Salt/Iterations Changes in Salt Values and/or Number of Iterations in .gov Delegations that use NSEC3 (June 2017 – Aug 2017, 968 zones monitored). Operation Num. Zones Changed Salt 553 Changed Iterations 20 Of those zones, 18 zones changed both during this period Every zone also rotated keys (even those that did not change parameter values) – so it isn’t always synced with ZSK rollovers

What Should be Done? Nothing (i.e. not a problem)? Get automated NSEC3 parameter changes built into appliances? Promote best common practices?