DNSSEC: An Update on Global Activities Dept. of Homeland Security Science & Technology Directorate DNSSEC: An Update on Global Activities EDUCAUSE Net@EDU Annual Mtg Tempe, AZ February 12, 2008 Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 11/19/2018

National Strategy to Secure Cyberspace The National Strategy to Secure Cyberspace (2003) recognized the DNS as a critical weakness NSSC called for the Department of Homeland Security to coordinate public-private partnerships to encourage the adoption of improved security protocols, such as DNS The security and continued functioning of the Internet will be greatly influenced by the success or failure of implementing more secure and more robust BGP and DNS. The Nation has a vital interest in ensuring that this work proceeds. The government should play a role when private efforts break down due to a need for coordination or a lack of proper incentives. 11/19/2018

Domain Name System Security (DNSSEC) Program DNSSEC Program Objective “Carry forward to completion the recommendation from the National Strategy to Secure Cyberspace by engaging industry, government, and academia to enable all DNS-related traffic on the Internet to be DNSSEC compliant” Rationale / Background / Historical: DNS is a critical component of the Internet infrastructure and was not designed for security DNS vulnerabilities have been identified for over a decade and we are addressing these vulnerabilities End Goal: Greatly increase the security of the Internet (as critical infrastructure) by securing the DNS through the use of crypto signatures 11/19/2018

Performers Shinkuro, Washington, DC Sparta, Columbia, MD Roadmap Development and Execution International partner participation Support Tool Development Sparta, Columbia, MD Software Development – Servers, resolvers, applications Internet Standards activities NIST, Gaithersburg, MD Measurement and Evaluation Tools Government and Standards activities Connections with GSA, FISMA, and OMB 11/19/2018

DNSSEC Initiative Activities Roadmap published in February 2005; Revised March 2007 http://www.dnssec-deployment.org/roadmap.php Multiple workshops held world-wide DNSSEC testbed developed by http://www-x.antd.nist.gov/dnssec/ Involvement with numerous deployment pilots Formal publicity and awareness plan including newsletter Working with Civilian government (.gov) to develop policy and technical guidance for secure DNS operations and beginning deployment activities at all levels. Working with the operators of the “.us” and “.mil” zones towards DNSSEC deployment and compliance 11/19/2018

DNSSEC Roadmap Identifies the following activities: Remaining R&D Issues (Lead: Shinkuro) Software Development (Lead: Sparta) Server Resolver Applications Operational Considerations (Lead: Shinkuro) Root Registries Registrants Measurement and Evaluation (Lead: NIST) Outreach and Training (Lead: Shinkuro) 11/19/2018

Incremental Deployment Registries Work through various readiness levels Initial study -> Initial design -> Pilot -> Pre-deployment -> Operation Registrars Migrate to an EPP-based system Build extensions for existing non-EPP system ISPs Validation as a preferred service for some customers. Manage customized set of Trust Anchors for set of customers Detect key rollover events for known islands of trust Enterprise Internal deployment as part of corporate system integrity and protection Trading partners Distinguish between safe and questionable sites 11/19/2018

Leveraging Existing Efforts ccTLDs with operational DNSSEC Services Sweden: http://www.iis.se/products/sednssec2 Bulgaria: https://www.register.bg/ Brazil: https://www.registro.br Puerto Rico: http://www.dnssec.nic.pr/ RIPE-NCC Reverse zones that it manages and e164.arpa zone (ENUM) https://www.ripe.net/rs/ DNSSEC initiatives in .UK and .DE Strong advocates of DNSSEC, but waiting for NSEC3 for some zones http://www.denic.de/en/domains/dnssec/index.html and http://www.nominet.org.uk/tech/dnssectest/ JPRS Working on integrating DNSSEC signing into existing workflow to maintain short update assurances http://losangeles2007.icann.org/node/77 11/19/2018

Leveraging Existing Efforts (cont) NIC Mexico Developing the infrastructure, procedures and technology for a future DNSSEC deployment in the .mx ccTLD http://www.dnssec.org.mx .ORG testbed PIR has maintained the .ORG testbed to enable its registrars to test DNSSEC-capable systems http://www.pir.org/RegistrarResources/DNSSecurityTestbed.aspx SNIP testbed for .GOV Provide “distributed training ground” for .gov operators deploying DNSSEC http://www.dnsops.gov IANA Testbed for signing zones that IANA controls Also has a prototype for ‘a’ signed copy of the Root zone https://ns.iana.org/dnssec/status.html 11/19/2018

FISMA Activities Intended to set the IT security policy for all USG systems, contractors, and data. Collection of documents produced by NIST FIPS, Special Publications (SP) series Goes into effect one year after publication of security controls publication (SP 800-53r1) Published Dec, 2006 -> goes into effect Dec, 2007 NIST Special Pub 800-53A Guide for Assessing the Security Controls in Federal Information Systems Final publication scheduled Dec 2007 NIST SP800-57 Recommendations for Key Management 3-part companion guide to FISMA

The Big Picture – DNSSEC in .gov Internet2 DNSSEC Pilot SNIP Core Infrastructure dnsops.gov. dnsops.biz esnet.doe.dnsops.gov. fda.dnsops.gov. zoneedit dhs.dnsops.gov. nist.dnsops.gov. ag1.dnsops.gov. ag2.dnsops.biz. DREN DNSSEC Pilot dns-outsource.com antd.nist.dnsops.gov. 11

NIST Effort - SNIP Secure Naming Infrastructure Pilot (SNIP) Aiding deployment by: Providing a connected training ground Educational resources/guides Modeling infrastructures Testbed for systems Relying on user participation Aid in deployment, not a proof-of-concept experiment 11/19/2018

SNIP Overview Agencies get delegations to run a secure “shadow-zone” nist.gov becomes nist.dnsops.gov Contractors become “contractor.dnsops.biz” Administrators use dnsops.gov/biz delegation to practice DNSSEC operations Infrastructure modeling Attempts to model an agency’s current DNS in NIST/Sparta labs Testbed for systems Authoritative servers, caches, and DNSSEC administrator tools 11/19/2018

Need for Signing the Root Zone Root Zone is at the top of the DNS hierarchy Signing the Root Zone will allow DNSSEC-capable resolvers to perform the data integrity and origin authenticity checks using the Root Zone Public Key(s) as the common trust point(s). A signed Root Zone and a widely deployed DNS system that supports DNSSEC will be a major step forward in the ongoing effort to secure the Internet 11/19/2018

Root Zone Requirements Full operation of DNSSEC at the Root level requires several component capabilities Generation and Maintenance of Keys Accepting “secure delegation” from TLDs Signing the Root Zone and handling of private key material Distribution and the subsequent “serving” of the signed Root Zone by Root Name Server Operators Publication of the Root Zone Public Keys 11/19/2018

Future Activities Pilot deployments of DNSSEC on .us and .gov networks Continue getting all the necessary government players Working with OMB, DHS, DOC on rollout strategy Outreach, communication and training Preparation of root servers Testing of end user software gTLD and ccTLD testbeds Community-based identification of existing software Candidate operational policies and procedures 11/19/2018

Summary and Challenge Lots of progress over the past 24 months More to come in 2008 USG taking a leadership role Working with other parts of Internet infrastructure Working with vendors Providing resources to help others Challenge: What’s keeping you from securing your DNS infrastructure? 11/19/2018

For more information, visit http://www.cyber.st.dhs.gov Douglas Maughan, Ph.D. Program Manager, CCI douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 For more information, visit http://www.cyber.st.dhs.gov 11/19/2018