1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006
2 Overview.ORG Testbed Implementation Perception Problems Risk vs. Return What next?
3.ORG Testbed Logistics and Topology Launched on 31 October, 2005 DNSSEC-aware name servers EPP 1.0 front end servers feed zone data to the name servers
4 EPP Front End Only.ORG accredited registrars allowed access to the EPP servers Want to keep out the cruft Use same creds as.ORG OT&E servers New registrars added when added to OT&E Dedicated testbed servers Runs on epp1.dnssec-testbed.pir.org & epp2.dnssec-testbed.pir.org Separate from.ORG Production servers!
5 DNS Back End Running on dedicated BIND servers at the moment Will cut over to UltraDNS in 2006 Isolated DNS systems Query using Where is: ns1.dnssec-testbed.pir.org or ns2.dnssec-testbed.pir.org Started with “empty” zone
6 Registrar Toolkit Experimental toolkit (Not for Prime Time) Don’t use it for.ORG production Availability: PIR website SourceForge EPP Transactions based on the -03 Hollenbeck draft
7 Policy Decisions Running according to -bis specifications Looking to showcase some pitfalls May code NSEC3 in 2006 to run parallel Same for roll-over drafts, as they flush out Roll-over Already rolled in November (did anyone notice?) Will do an unannounced ZSK and KSK “compromise scenario” in 2006 Will publish a key roll-over schedule as well
8 Participation... 3 Registrars logged in, 15 names in the zone, 12 DS records (as of 23 Nov 2005) 135 names in the zone as of now What can we do to help you participate? On the PIR side? On the Afilias side?
9 Perception Problems.CL (Chilean) survey Many in the technological community in Chile do not know what DNSSEC is Some thought it was “all about confidentiality” Have not deployed DNSSEC because: Worry it will confuse the market (providers are not knowledgeable yet makes many promises to end- users) Multiple providers to deal with (ISC, APNIC, RIPE, etc.) Education and Testbed
10 What DNSSEC does NOT do DNSSEC does NOT provide confidentiality of DNS responses DNSSEC does NOT protect against DDOS attacks DNSSEC is NOT about privacy DNSSEC is NOT a PKI DNSSEC does NOT protect against IP Spoofing
11 Why is DNSSEC important? ROI vs. Return on Risk Not about increased revenues, but about reduced risks Reducing risks for your community / customers High vulnerability, low awareness High dependance on DNS Trust is easy to lose difficult to re-gain
12 What Next? Not without technical challenges (e.g. Key Rollovers) Main Challenge is still awareness and adoption (i.e. demand driving) Technologists tend to get over excited about technical details Some disconnect with business managers Not as high profile as worms, viruses and DDOS attacks Even as security is highest priority
13 Man-in-the-middle Attacks Stories to tell: Bank Account from your bank telling you that, for security reasons, they need you to update your password You know about these scams called ‘phishing’, where the bad guys send an pretending to be legit, and the link actually goes to their website Just to be safe, instead of clicking on your bank’s link, you open up your browser, and type in the URL for your bank login page On the front page is the request for password change. You put in your ‘old’ password, and your ‘new’ password (twice) Two hours later, your entire savings account is wiped clean. Automated Systems compromised being intercepted
14 IDN and DNSSEC Many similarities Requries Application (DNS Clients) updates Requires Registries and DNS operator updates / deployment Requires Root changes for complete experience One major difference: Lack of explicit user demand
15 Awareness & Participation ccTLDs and gTLDs should implement DNSSEC testbeds Application Providers Browsers, MTAs ISPs Industry should help promote awareness Must a catastrophe happen first?... For more info and to participate:
16 Thank You Edmon Chung