DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

Slides:

Advertisements

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

DNSSEC Sample Implementation Module 1 DNSSEC ASIA SUMMIT August 2012, Hong Kong

DNSSEC Sample Implementation Module 1 LACNIC October 2012, Montevideo

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012

DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012

Anne-Marie Eklund Löwinder Chief Information Security Officer Twitter: amelsec Thank’s to Fredrik Ljunggren, Kirei & Mehmet.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Phil Regnauld Hervey Allen June 2009 Papeete, Tahiti DNSSEC overview.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

DNSSEC: Where We Are (and how we get to where we want to be)

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Deploying DNSSEC: From Content to End-customer InterOp Mumbai October 2012

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Building Security into Your System Bill Major Gregory Ponto.

DNSSEC deployment in NZ Andy Linton

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

The Distribution Online Vending Pilot Project Demo Testing Certificate Management Kennedy P Subramoney 23 July 2004.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:

DNSSEC Practices Statement Module 2 CaribNOG 3 12 June 2012, Port of Spain, Trinidad

Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

SaudiNIC Experience in Deploying DNSSec AbdulRahman Al-Ghadir SaudiNIC - CITC MENOG 16.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

DNSSEC Implementation Considerations and Risk Analysis

DNSSEC Implementation Considerations and Risk Analysis

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Lecture 20 DNS Sec Slides adapted from Olag Kampman

In collaboration with HKCERT and HKIRC July 2016

DNSSEC Operations in .gov

DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

R. Kevin Oberman ESnet February 5, 2009

What DNSSEC Provides Cryptographic signatures in the DNS

DNSSEC Status Update in UA

.uk DNSSEC Status update

Presentation transcript:

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

Demo Implementation Key lengths – KSK:2048 RSA ZSK:1024 RSA Rollover – KSK:as needed ZSK:90 days RSASHA256 NSEC3 Physical – HSM/smartcards inside Safe inside Rack inside Cage inside Commercial Data Center Logical – Separation of roles: cage access, safe combination, HSM/smartcard activation across three roles Crypto – use FIPS certified smartcards as HSM and RNG – Generate KSK and ZSK offline using RNG – KSK use off-line – ZSK use off-net

Off-Line Key generator and KSK Signer KSK+RNG smartcards KSK+RNG readerlaptop Live O/S DVD KSK signed DNSKEYs Encrypted ZSKs Flash Drive SAFE RACK CAGE DATA CENTER

Off-Net Signer KSK signed DNSKEYs Encrypted ZSKs Flash Drive RACK CAGE DATA CENTER signerfirewall zonefile hidden master nameserver

Key Management Offline Laptop Online/off-net DNSSEC Signer and Encrypted ZSKs Sign ZSKs with KSK Transport KSK signed DNSKEY RRsets Sign zones with ZSK signed zone unsigned zone Secure Key Generation and Signing Environment Generate KSK KSK Generate ZSKs

Key Management Offline Laptop Online/off-net DNSSEC Signer Generate ZSKs Transport public half of ZSKs Generate KSK Sign ZSKs with KSK Transport KSK signed DNSKEY RRsets Sign zones with ZSK signed zone unsigned zone ZSKs KSK Secure Key Generation and Signing Environment