ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

Slides:

Advertisements

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

Update on ccTLD Agreements Montevideo 9 September, 2001 Andrew McLaughlin.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Disaster Recovery and Business Continuity Plan Testing: Practice Makes Perfect B.J. Block, Information Security AnalystMarch 22, 2007.

Recovery Planning A Holistic View Adam Backman, President White Star Software

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Agenda CWG-Stewardship Meeting - 27 March, 2015 in Istanbul 09:00 – 09:15 Introduction / overview of agenda 09:15 – 09:45 Further questions on legal 09:45.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

CORPORATE UPDATE AFRINIC 17 Anne-Rachel Inné. Team Work: activity plans, improvement of services Ongoing projects – ISO certification – Performance Management.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

2011 – 2014 ICANN Strategic Plan Development Stakeholder Review 4 November 2010.

Revised Draft Strategic Plan 4 December 2010.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Storage Security and Management: Security Framework

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

IANA Department Activities, RIPE 66, Dublin, Ireland May 2013 Elise Gerich.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

CcTLD/ICANN Contract for Services (Draft Agreements) A Comparison.

ICANN Update: What Next for Trademark Owners? 22 nd Annual Fordham Int’l IP Law & Policy Conference 25 April 2014.

Update from ICANN staff on SSR Activities Greg Rattray Tuesday 21 st 2010.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Technical Area Report Byron Ellacott Technical Area Manager.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.

DNSSEC deployment in NZ Andy Linton

Technical Area Report Byron Ellacott, Technical Area Director 1.

Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Cloud Archive By: Kimberly Nolan. What it is?  The goal of a cloud archiving service is to provide a data storage (ex. Google drive and SkyDrive) as.

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

TAG Presentation 18th May 2004 Paul Butler

Rolling the Root Zone DNSSEC Key Signing Key

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

SaudiNIC Riyadh, Saudi Arabia May 2017

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

State of DNSSEC deployment ISOC Advisory Council

TAG Presentation 18th May 2004 Paul Butler

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research

What DNSSEC Provides Cryptographic signatures in the DNS

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

Capitalize on Your Business’s Technology

.uk DNSSEC Status update

Presentation transcript:

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

DNSSEC Activity Calls from the community to sign the root. TLD’s sign their zones Close cooperation with DNSSEC deployment and security experts to develop signing system for.arpa and root Signed root publicly available at ns.iana.org for over a year Presentations describing system and seeking feedback at various fora DNSSEC and root zone management are part of ICANN Strategic Plan – a primary part of our business ICANN paper published (7/24) Interim-TAR (almost there), RZM (ongoing) Kaminsky (8/5) ICANN submits proposal to sign the root (9/2) NTIA response (9/9)

elements of root signing Important elements of a root-signing solution are transparency, public consultation, broad stakeholder participation (e.g. key ceremony), flexibility, reliability, and trust; Solution has to balance various concerns, but must provide for a maximally secure technical solution and one that provides the trust promised by DNSSEC; An open, transparent and international participatory process will allow for root zone management to adapt to changing needs over time as DNSSEC is deployed throughout the Internet and as new lessons are learned.

Preservation of Trust Maintain trust from TLD operator to signed root. Any chain is only as strong as its weakest link. Increased confidence in DNS will depend more on this chain. Eliminate avenues for potential corruption during transmission between organizations. Keys (DS) should not have to go to another organization before being protected by signing. So the validator of changes signs the zone. A conclusion other DNSSEC deployers have come to. Will allow for timely and accurate TLD key replacement in the face of compromise Introduction of new gTLDs will stress this link

Transparency Open and transparent process for technical infrastructure design and signing oversight functions. KSK’s not under control of one organization. No security through obscurity: open source and designs Continuous collaboration with DNSSEC experts to evolve design as lessons are learned. Regular auditing and reports

Preparedness IANA’s “business” is root zone management. DNSSEC is part of ICANN’s Strategic Plan. IANA signed root was developed closely with DNSSEC experts. Publicly available for 15 months. Interim-TAR during the testing period (almost done! delayed by very effective TLD recursive resolver and patch effort – thank you Kim+OARC+operators!) RZM would be modified to be ready to handle DS records incorporating technology and lessons from I-TAR Automation: signing, ZSK rollover (to avoid costly risk of service failures and errors), monitoring, notifications Kept the process and design simple Final design and ongoing modifications would be based on public consultation process with experts Plan on regular audits and reports on system operation and security

Behind ns.iana.org SIGNER HSM KSK HSM ZSK NS TEST A TEST M ADMIN RZM ROOT DB CLASS 5 IPS CONTAINER 2-3 INSTANCES vetting process, accept/reject I-TAR TLDs ns.iana.org pch-test.iana.org anycast SIGNER, NS, ROOT DBs: DELL 1950 /w 2xPS, 2XSAS, 2xCPU HSM: AEP KEYPER FIPS Level 4 (Disposable) System status at: hr manned multiple biometric controlled facility, NSA NSTISSP #10, GSA Class 5 Safe (approved for Top Secret)

Key Ceremony Keys are not under the control of a single organization. IANA is key custodian only. Fresh key generation hardware each KSK gen. Dispose or recycle old. Community decides how, where, when, and who Any Interested stakeholders, auditors, publishers. Key has value only when witnessed and published by all. Filmed and broadcast Keys cannot be extracted, cloned or otherwise. Private key in FIPS level 4 HSM (used by UN treaty org, etc). Key never leaves HSM. Tamper attempt destroys contents. Backup HSM’s configured during Key Ceremony Community decides how, where, and who for backup and disaster recovery Other schemes using other equipment (e.g., M of N) supported via PKCS11 standard interface.

Wasn’t done alone: Thanks to: Paf, Olaf, Roy, Jakob, Dickinson, Russ, Soltero (.pr), Crocker, drc, Don Davis, David Miller, … Thank you for listening Questions ?