What DNSSEC Provides Cryptographic signatures in the DNS

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
PKI Implementation in the Real World
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Security and Information Assurance for the DNS Dan Massey USC/ISI.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
Security on OpenStack 11/7/2013
SaudiNIC Riyadh, Saudi Arabia May 2017
DNS Security Advanced Network Security Peter Reiher August, 2014
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
DNSSEC Deployment Challenges
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
State of DNSSEC deployment ISOC Advisory Council
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Session 5 Additional Topics
DNS Cache Poisoning Attack
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
DNS security.
R. Kevin Oberman ESnet February 5, 2009
DNSSEC Basics, Risks and Benefits
Security, Cryptography, and Magic
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
DNSSEC: An Update on Global Activities
NAAS 2.0 Features and Enhancements
Cyber Security Authentication Methods
Future DNSSEC Directions
Public Key Infrastructure from the Most Trusted Name in e-Security
Technical Approach Chris Louden Enspier
Measuring KSK Roll Readiness
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Public Key Infrastructure
Geoff Huston APNIC Labs
Install AD Certificate Services
Advanced Computer Networks
September 2002 CSG Meeting Jim Jokl
Security in SDR & cognitive radio
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
National Trust Platform
Neda Kianpour - Lead Network Engineer - Salesforce
Presentation transcript:

What DNSSEC Provides Cryptographic signatures in the DNS Integrates with existing server infrastructure and user clients Assures integrity of results returned from DNS queries: Users can validate source authenticity and data integrity Checks chain of signatures up to root Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks

Trust Anchors installed on client resolvers. DNSSEC Chain of Trust “.” – DNS root. Trust Anchors installed on client resolvers. KSK ZSK KSK KSK se. gov. KSK KSK KSK ZSK ZSK ZSK KSKs KSKs KSK KSK opm.gov. nist.gov. KSK’s often serve as the “anchor” of authentication chain. The higher up in the tree, the more useful the trust anchor KSK KSK ZSK ZSK Data Data

Deployment in .gov Policy Drivers: OMB Memo, FISMA Docs and tools: NIST SP 800-81(r1), NIST SP 800-57 Part 3, SNIP Testbed. Two big deadlines OMB Memo: External authoritative zones by Dec 2009 FISMA: 12 months after publication of Controls document (SP 800-53), August/Sept 2010 – all Federal systems. Progress so far: ~70 signed delegations, another 20-30 signed but not chained.

Lessons Learned from Early Deployments Deployment is really a content management exercise, not just a security exercise FISMA, other drivers lead to centralization of many network operations How is the data handled will help how best to deploy Signing is easy, key management is hard HSM’s vs. offline storage key rollover/resigning Communication more important than strong crypto Knowing who to contact (parent zone and subzones) important.

More Lessons Learned Upgrade vs. new purchases Majority of agencies may not need investment in new equipment – upgrades may be enough, but it depends on current plans May choose to for other reasons, but DNSSEC may not be the driver Invest the same importance in the keys as you do the data There is such a thing as overkill Consider information leakage as well Do not need to wait on anybody to deploy first Majority of work is internal operations, interface to parent zone will be in a standard form Practice makes perfect - SNIP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.