Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

Slides:



Advertisements
Similar presentations
Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
Deploying Security for the Domain Name System Securing the Infrastructure Panel Allison Mankin, Amy Friedlander Shinkuro, Inc
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
DNSSEC Deployment Initiative: Roadmap Version 2.0 Suresh Krishnaswamy, SPARTA Steve Crocker, Shinkuro, Inc.
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania Sprint Internet2 Member Meeting Arlington, Virginia, U.S.A., Apr 23rd 2007.
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
SaudiNIC Riyadh, Saudi Arabia May 2017
DNS Security Advanced Network Security Peter Reiher August, 2014
Lecture 20 DNS Sec Slides adapted from Olag Kampman
DNS Security.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
State of DNSSEC deployment ISOC Advisory Council
Principles of Computer Security
Configuring and Troubleshooting DNS
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNS Session 5 Additional Topics
DNS Cache Poisoning Attack
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DANE: The Future of Transport Layer Security (TLS)
DNSSEC Basics, Risks and Benefits
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
DNSSEC: An Update on Global Activities
.edu DNSSEC Testbed Lessons Learned
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Re-Engineering the Root of the DNS
What DNSSEC Provides Cryptographic signatures in the DNS
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Geoff Huston APNIC Labs
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Minneapolis, Minnesota, U.S.A., Feb 14th 2007 Title Slide

Description of the Pilot http://www.dnssec-deployment.org/internet2/ Deploy DNSSEC Gain Operational experience Does it work (does it catch anything?) Test DNSSEC aware applications Participants sign at least one of their zones Exchange keys (trust anchors) that will allow them to mutually validate DNS data

What is DNSSEC? A system to verify the authenticity of DNS “data” RFC 4033, 4034, 4035 Helps detect: spoofing, misdirection, cache poisoning Some secondary benefits appear: You could store keying material in DNS DKIM, SSHFP, IPSECKEY, etc

A little background .. Feb ‘06: DNSSEC Workshop held at Albuquerque Joint Techs Mar ‘06: dnssec@internet2 mailing list Apr ‘06: Internet2 Spring Member meeting Advisory group formed and plans for a pilot project formulated May ‘06: Pilot group began Bi-weekly conference calls and progress reports

Partner in DNSSEC Deployment Initiative Co-ordination Internet2 Shinkuro シンクロ Partner in DNSSEC Deployment Initiative http://www.dnssec-deployment.org/ Some funding from US government

DNSSEC Deployment Efforts so far MAGPI GigaPoP All zones: magpi.{net,org} & 15 reverse zones https://rosetta.upenn.edu/magpi/dnssec.html MERIT radb.net nanog.org http://www.merit.edu/networkresearch/dnssec.html NYSERNet - test zone nyserlab.org

Others considering or planning deployment University of Pennsylvania University of California - Berkeley University of California - Los Angeles University of Massachusetts - Amherst Internet2

DLV (DNSSEC Lookaside Validation) A mechanism to securely locate DNSSEC trust anchors “off-path” An early deployment aid until top-down deployment of DNSSEC happens Pilot group is in talks to make use of ISC’s DLV registry http://www.isc.org/index.pl?/ops/dlv/ More on this at a later date ..

More participants welcome! (participation not restricted to Internet2) Join mailing list Participate in conference calls

Thoughts on deployment obstacles (1) A Chicken & Egg problem Marginal benefits, until much more deployment Why should I go first? We had (have?) the same problem with other technologies (IPv6 etc) Some folks will need to take the lead, if there is hope for wider adoption Good way to find out how well it works

Thoughts on deployment obstacles (2) Operational stability More complicated software infrastructure New processes for: Zone changes Secure delegations Security (protection of crypto keys) Key rollover and maintenance Integration w/ existing DNS management software What is the experience of the pilot?

Thoughts on deployment obstacles (3) Additional system requirements Authoritative servers: memory Resolvers: memory & CPU Memory use can be calculated Probably not a big issue (unless you’re .COM!) CPU Not too much of an issue today (dearth of signed data that needs validation) Caveat: some potential DoS attacks could hit CPU

Thoughts on deployment obstacles (4) Key distribution in islands of trust Why is there no top down deployment? Work on signing root and (many) TLDs and in-addr.arpa is in progress .SE, RIPE reverse done .EDU work in motion Interim mechanisms like DLV exist Manual key exchange (unscalable)

Thoughts on deployment obstacles (5) Stub resolver security (e2e security) An area of neglect in my opinion Push DNSSEC validation to endstations? Secure path from stub resolver to recursive resolver Possibilities: SIG(0), TSIG, IPSEC

Thoughts on deployment obstacles (6) Application layer feedback Coming gradually DNSSEC aware resolution APIs and applications enhanced to use them DNSSEC aware applications See http://www.dnssec-tools.org/ Note: some folks think it might be nice to protect DNSSEC oblivious applications silently as an interim step

Thoughts on deployment obstacles (7) Zone enumeration threat See NSEC3 record (spec almost done) draft-ietf-dnsext-nsec3-09.txt

References Internet2 DNSSEC Pilot Mailing list: dnssec@internet2.edu http://www.dnssec-deployment.org/internet2/ http://rosetta.upenn.edu/magpi/dnssec.html Mailing list: dnssec@internet2.edu https://mail.internet2.edu/wws/info/dnssec Internet2 DNSSEC Workshop http://events.internet2.edu/2006/jt-albuquerque/sessionDetails.cfm?session=2491&event=243

References (2) DNSSEC(bis) technical specs: Related: RFC 4033, 4034, 4035 Related: DNSSEC HOWTO: http://www.nlnetlabs.nl/dnssec_howto/ Threat analysis of the DNS: RFC 3833 Operational practices: RFC 4641 NSEC3: draft-ietf-dnsext-nsec3-09 DLV: draft-weiler-dnssec-dlv-01 draft-hubert-dns-anti-spoofing-00

Questions? Shumon Huque shuque -at- isc.upenn.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.