Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

International Telecommunication Union ENUM Issues and Solutions Houlin Zhao Director Telecommunication Standardization Bureau International Telecommunication.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Internet Identity For All.my ccTLD IPv6 Update By Lai Heng Choong Head of Application, Database and Security.my DOMAIN REGISTRY APTLD Member Meeting, 1.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

© 2003 Public Interest Registry Whois Workshop Introduction to Registry/Registrar Issues Presented by Bruce W. Beckwith VP, Operations June 23, 2003 Serving.

Sonnenglanz Consulting BV 28 September CPA Management Idea’s for large-scale deployments E.J. Van Nigtevecht Sonnenglanz Consulting BV.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Overview Who is AusRegistry? Why use the existing infrastructure? What this means for you? Questions raised and Important points.

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

X-Road – Estonian Interoperability Platform

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Kenya Network Information Centre (KENIC). Introduction KENIC is the registry for the.KE ccTLD. Local and non-profit organization Mandate is to Manage.

DNSSEC deployment in NZ Andy Linton

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Patrik Fältström. ITU Tutorial Workshop on ENUM. Feb 8, 2002, Geneva Explanation of ENUM (RFC 2916) Patrik Fältström Area Director, Applications Area,

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Publishing zone scan data using an open data portal Sebastian Castro OARC Workshop Montreal – Oct 2015.

Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Current Topic – EPP - TWNIC Jeff Yeh

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

1 FRED – open source registry system CZ.NIC, z.s.p.o. Jaromír Talíř

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

SaudiNIC Riyadh, Saudi Arabia May 2017

Agenda DNSSEC automation overview How to implement it in FRED

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

What DNSSEC Provides Cryptographic signatures in the DNS

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

EUDAT Site and Service Registry

Presentation transcript:

Signed since September 2005 What’s it like 7 months later? Anne-Marie Eklund Löwinder,

What is.se? The Kingdom of Sweden TLD operated by II-stiftelsen ~ domains ( ) A daily growth with ~500 domains 7 unicast servers + 2 anycast clusters

Why? Increase integrity of the DNS Increase security for.SE domain holders and their users. ‣ A countermeasure against pharming and other DNS MITM attacks. ‣ An infrastructure strengthening technique. ‣ A contemplated use of DNSSEC is for authenticated distribution of public keys for other security schemes. Called upon by the authorities (the Swedish Post and Telecom Agency, PTS). New applications ENUM

When? First workshop in February 1999 Testing since January 2003 Public testing since January 2004 RFC 4033, 4034 & 4035 (aka DNSSEC bis) were published in March September 13th 2005,.se started to distribute the signed.se zone. Signed delegations for early adopters from mid- November More extensive tests started February 1st, 2006.

Key Management Zonefile SignerKSK ZSKKSK ZSK

Behind the scenes

Distribution All.SE name servers has been DNSSEC enabled since June Servers are running BIND or NSD. Different platforms and operating systems: ‣ FreeBSD, NetBSD, Linux, Solaris ‣ Sparc, Alpha, x86

Name Servers NetnodStockholm, Gothenburg, Sundsvall + Anycast Service Telia SoneraStockholm, Malmo KTH NocStockholm, Umea VerisignAnycast Service

Monitoring Nagios has been extended to perform basic DNSSEC checks –Warn for signatures soon to expire –Test for correct DNSSEC additional processing –Check the integrity of some signatures

Signing childs – secured delegations The domain must be a sub domain of.SE. The domain holder must sign a limitation of liability statement with IIS. The domain holder must provide IIS with a technical contact person. IIS must be able to authenticate the technical contact person using a certificate signed by a certificate authority trusted by.SE’s key management tool KEYMAN. The domain must be delegated to one or more name servers, all of them supporting DNSSEC according to RFC 4033, 4034 and 4035.

Child Key Management KEYMAN is used for early adopters New registry & registrar system with integrated DNSSEC planned for Q4 2006

New Registry Todays registry model in.se is “confusing” No clear relation between registrar and registrant New registry service will be EPP based, and have a purer Registry – Registrar relationship Registrars will handle DNSSEC through EPP Requirements for DNSSEC? (Probably some extra paragraphs in the registrar agreement) Authentication of registrants?

Certificate Authorities trusted by.SE Posten Sverige AB SIS ID CA v1 (The Swedish Post) Telia e-id CA CAcert.org Thawte Personal Fre SwUPKI CA (Swedish Universities PKI CA) If someone think that their favourite CA is not in the list, they may contact us, and we will consider adding it.

Keyman Keyman is a prototype DNSSEC child key manager used to register keys with.SE – until the new EPP registry is in place Stores active keys in a database - fetch new keys via DNS User selects active keyset DS records generated from database Not scalable to big zones with a great number of delegations

Signing a zone

Lessons learned Stating the obvious…  You might be aware of this already  If not, you probably will be

Do not run BIND 8.

Make sure your firewall can handle EDNS.

Separate authoritative and recursive name servers.

DNSSEC capable software AuthoritativeRecursive ISC BIND Nominum ANSNominum CNS NSD

Performance - resolving We are measuring to get a picture of what DNSSEC does to performance in the DNS environment. A report will be published very soon. From what we experience there are no big differences running without DNSSEC or with DNSSEC enabled.

What is the performance hit on a typical ISP resolver if they would enable DNSSEC validadtion for.se today?

Query Test Data 1 hour ( MET) quries from customers of a large Swedish ISP Queries recorded via tcpdump and anonymized using tcpreplay Average query load 966 qps

Measurement Queries per seconds measured Name server CPU time usage measured Queries / cpusec used as comparison

Public resolvers.SE provides public resolvers for testing purposes: ‣ bind.dnssec.se ‣ cns.dnssec.se

Server configuration The DNS operator are strongly recommended to always check the current key - not only copy and paste without verification. The.SE Key Signing Key (KSK) will be changed from time to time. If anyone configure this key into their resolver, we strongly recommend them to subscribe to the mailing list where we will notify key rollovers.

Tests - Phase 1 Friendly users 18 zones and 11 different domain holders Short period of time Some test participants failed to update their signatures before expiration date No other problems reported

Tests phase 2 Extended test population New agreement on Limitation of Liability Running for 12 months Now 27 zones and 20 different domain holders Planning to send out a survey to get some idea about the participants experiences so far

Zone walking What about it ? The whois service for.se only shows registration status and delegation information Extended information on domain names are only available via web interface and protected by CAPTCHA. We’ve noticed some - but no alarming –activity Working very actively with the development of NSEC3

Costs? 2004 –Project budget SEK (appr Euros) 2005 –Project budget SEK (appr Euros) 2006 –Project budget appr Euros

To do list Tests Phase 2 –Extended tests with more users ending in January 2007 Enable DNSSEC validation at ISP’s - Information –Conference co-arranged with PTS. Try to reach ISP:s to convince them to enable DNSSEC on resolvers for their broadband customers. Sign important DNS infrastructure - Education –1 ½ day sponsored ”hands on” tutorial, participants from registrars, DNS service providers for banks, government agencies, large media companies, ISP:s. Sharing the.se model - Documentation –”DPS”, technical descriptions, code distribution, administrative routines.

Documentation & Policy DNSSEC Policy and Practice Statement DNSSEC Limitation of Liability DNSSEC Environment description Deployment information for other TLDs Internal technical and administrative documentation

Thank you! Questions?