R. Kevin Oberman ESnet February 5, 2009

Slides:



Advertisements
Similar presentations
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC deployment in NZ Andy Linton
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Rolling the Root Geoff Huston APNIC Labs March 2016.
Increasing the Zone Signing Key Size for the Root Zone
A Logo for DNSSEC Wrapping DNSSEC into marketing Lutz Donnerhacke
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
A Speculation on DNS DDOS
DNS zones and resource records
DNS Security.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Common Methods Used to Commit Computer Crimes
Department of Computer Science
State of DNSSEC deployment ISOC Advisory Council
DNSSEC Operations in .gov
Geoff Huston APNIC Labs September 2017
NIC Chile Secondary DNS Service History and Evolution
CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others
A Speculation on DNS DDOS
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
draft-zhang-dnsext-test-result-00
New Functionality in ARIN Online
Managing Name Resolution
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
What DNSSEC Provides Cryptographic signatures in the DNS
Certificates An increasingly popular form of authentication
BGP Multiple Origin AS (MOAS) Conflict Analysis
Geoff Huston APNIC Labs
Coming up: What is Agile?
DNS operator transfers with DNSSEC
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
Extreme Programming.
DNSSEC Status Update in UA
The Curious Case of the Crippling DS record
Preventing Privilege Escalation
Business Zone - Clearing your Cache
Trust Anchor Signals from Custom Applications
.uk DNSSEC Status update
GET ACCESS TIP: Only have the course key? Enter the following URL and replace the X’s with your course key (include the dashes). login.cengagebrain.com/course/xxxx-xxxx-xxxx.
Neda Kianpour - Lead Network Engineer - Salesforce
Presentation transcript:

R. Kevin Oberman ESnet February 5, 2009 DNSSEC Update R. Kevin Oberman ESnet February 5, 2009

.gov Now Signed! .gov formally signed Feb. 1 Not yet accepting delegated keys Will start doing so in a few days

Time to sign With signed .gov, it is time for those in .gov space to start signing Be sure that you are ready Don’t rush Test before officially signing

How to Sign http://www.dnssec-tools.org Signing appliance Work done by Sparta under contract to the US Government Tools are open source and free Allow fairly easy implementation of most DNSSEC requirements Signing appliance Easiest operation Least likely to fail

Use BIND-9.6.0-P1 or later Supports NSEC3 NSEC3 prevents zone enumeration Required to ‘hide’ zone data Prevents effective zone transfer Supports ‘automatic’ key update to parent Greatly simplifies key management

Key Issues Two ‘types’ of keys Zone signing keys (ZSKs) sign RRsets in zone files Key signing keys (KSKs) sign the ZSKs All keys use symmetric public keys much like ssh Data may be signed by multiple keys

Key Management Zone signing key must be changed monthly Key signing keys must be changed annually Valid public key must ALWAYS be available for current and cached data Watch TTLs—long cache life complicates emergency key changes TTLs should probably be no longer than a few hours

Three Key Shuffle Keys A, B, and C Data signed with A and B To roll keys: Generate new key pair (C) Sign data with B and C Keeps each key active for two cycles All cached data always signed with active key

No Room for Error! Data not signed by valid key will not validate Queries for your data will fail on validating servers Your zone will ‘disappear’ from the Internet Your users will be very unhappy!

No Key Revocation! Keys may be withdrawn, but not revoked New key can be put in place very quickly Cached data will not be valid if no valid key is in place Keep TTLs short

The Clock is Ticking OMB requires that zones immediately under .gov be signed by the end of 2009 You need to start working on a signing solution NOW!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.