1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

Slides:



Advertisements
Similar presentations
The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.
Advertisements

ICANN Strategic planning process Draft key priorities for the July 2006 – June 2009 Plan for community comment November 2005.
Whois Task Force GNSO Public Forum Wellington March 28, 2006.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
ICANN/ccTLD Agreements: Why and How Andrew McLaughlin Monday, January 21, 2002 TWNIC.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Cairo 2 November Agenda  Guidebook overview  Supporting and explanatory materials  Guidebook Module detail  Probable timelines 2.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
“ICANN and the Global Internet” ICANN Workshop Wednesday, October 9, 2002 Mexico City.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
DNS: Domain Name System Mark Ciocco Chris Janik Networks Class Presentation Tuesday April 18, 2000 To insert your company logo on this slide From the Insert.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
ICANN and the Internet Ecosystem. 2  A network of interactions among organisms, and between organisms and their environment.  The Internet is an ecosystem.
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
1 The Impact of IPv6 on Society ~ a Government Perspective ~ Kaori ITO Ministry of Public Management, Home Affairs, Posts and Telecommunications ( MPHPT)
TAC July 2, 2003 Market Design Implementation Process Recommendation.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Collaboration Works, Inc. IEP Facilitation: Preventing and Effectively Engaging Conflict in Meetings October 5, 2007 Karen Hannan Collaboration Works,
DSSA-WG Progress Update Dakar – October Charter: Background At their meetings during the ICANN Brussels meeting the At-Large Advisory Committee.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
MyFloridaMarketPlace Roundtable January 21, :00 a.m. – 12:00 p.m. MyFloridaMarketPlace.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Update from ICANN staff on SSR Activities Greg Rattray Tuesday 21 st 2010.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
DSSA Update Costa Rica – March, Goals for today Update you on our progress Raise awareness Solicit your input 2.
DSSA Update Costa Rica – March, Goals for today Update you on our progress Raise awareness Solicit your input 2.
ICANN Root Name Server System Advisory Committee March 2, 1999 SUNTEC Convention Center Singapore.
Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
Izumi Okutani JPNIC IP Department NIR Meeting Feb 2004 JPNIC Open Policy Meeting Update.
Securing Future Growth: Getting Ready for IPv6 NOW! ccTLD Workshop, 8 th April 2011 Noumea, New Caledonia Miwa Fujii, Senior IPv6 Program Specialist, APNIC.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
State of Georgia Release Management Training
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
CCWG on Enhancing ICANN’s Accountability Paris, July 2015.
Page  ASME 2013 Standards and Certification Training Module B – Process B7. The Appeals Process.
&. & DNS and IPv6 IPv6 Summit, Canberra 31st October & 1 st November 2005 Chris Wright, Chief Technology Officer &
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
Inter-Registrar Transfer Policy Part C Presentation of Initial Report.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
IANA Stewardship Transition & Enhancing ICANN Accountability Panel and Audience discussion | WSIS Forum | 5 May 2016.
1 27Apr08 Some thoughts on Internet Governance and expansion of the Domain Name space Paul Twomey President and CEO 9 August 2008 Panel on Internet Governance.
IS&T Project Reviews September 9, Project Review Overview Facilitative approach that actively engages a number of key project staff and senior IS&T.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
Getting started with ICANN
DNS Security Advanced Network Security Peter Reiher August, 2014
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
State of DNSSEC deployment ISOC Advisory Council
Principles of Computer Security
DNSSEC Tutorial: Status “Today”
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Agenda item 4(b) Compliance mechanism - Report on the Committee’s activities since the second session of the Meeting of the Parties This is a sample Title.
Presentation transcript:

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

2 Agenda I. Introductions and Signing Up For the DNSS List II. DNSSEC-Related Sessions Here at the Member Meeting (1) This BOF (2) DNSSEC at LSU, Allie Hopkins, Today, 3PM, Maurepas III. Just in Case Folks Haven't Heard… One More Time: The Kaminsky Vulnerability IV. Some Brief Updates (1) Signing the Root (2) ICANN Security and Stability Advisory Committee (3) Dot Gov and DNSSEC (4) Nominet/Corecom Test of Broadband Routers and Firewalls (5) ccTLDs and other TLDs

3 I. Introductions

4 Welcome! Please tell us a little about yourself (e.g., your name and institution) We'd also love to hear anything else you'd like to share, such as: -- what's spurring your interest in DNSSEC -- the status of DNSSEC testing or deployment at your site -- DNSSEC-related issues you'd like help resolving -- or?

5 Signing Up For the Internet2 DNSSEC List… We don't want to spam you, but if you're interested, please feel free to join the Internet2 DNSSEC mailing list: See also the Shinkuro DNSSEC Deployment Working Group and mailing list at

6 II. DNSSEC Sessions Here at The Member Meeting

7 DNSSEC at Louisiana State University Abstract: DNSSEC has become an increasingly popular topic over the last few years amongst DNS administrators worldwide. The recent DNS cache poisoning exploit caused this interest to skyrocket. The importance of DNSSEC is much more apparent now than it has ever been before. We, at LSU, were already on the way to exploring this topic and plan to have it implemented before the close of the New Year. An even better goal is to have something implemented before October. I plan to discuss why DNSSEC is so important to the internet community, how we tackled this seemingly daunting task, and the obstacles/successes encountered along the way. Session will be today at 3PM, Maurepas

8 III. Just In Case Folks Haven't Heard…

9 Test, and If Necessary, Patch Your Resolvers! Problem: Dan Kaminsky discovered a very efficient way to do DNS cache poisoning; DNSSEC would fix the issue, but until then you watch to be sure to patch your resolvers. For more information, see To Test: (an example of what you'd like to see can be found on the following slide) If Necessary, Patch: If your resolvers don't pass, patch 'em! Providers ARE Getting Hit: For example, see "China Netcom DNS cache poisoning" (08/19/2008): While patching is critical, and certainly better than nothing, DNSSEC is needed to definitively address this issue.

10

11 IV. Updates

12 Update 1: Signing The Root

13 NTIA Notice of Inquiry: "Enhancing the Security and Stability of the Internet's Domain Name and Addressing System," October 9th SUMMARY: The Department of Commerce (Department) notes the increase in interest among government, technology experts and industry representatives regarding the deployment of Domain Name and Addressing System Security Extensions (DNSSEC) at the root zone level. The Department remains committed to preserving the security and stability of the DNS and is exploring the implementation of DNSSEC in the DNS hierarchy, including at the authoritative root zone level. Accordingly, the Department is issuing this notice to invite comments regarding DNSSEC implementation at the root zone. DATES: Comments are due on November 24, 2008 The NTIA's questions are…

14 Questions on DNSSEC Deployment Generally In terms of addressing cache poisoning and similar attacks on the DNS, are there alternatives to DNSSEC that should be considered prior to or in conjunction with consideration of signing the root? What are the advantages and/or disadvantages of DNSSEC relative to other possible security measures that may be available? What factors impede widespread deployment of DNSSEC? What additional steps are required to facilitate broader DNSSEC deployment and use? What end user education may be required to ensure that end users possess the ability to utilize and benefit from DNSSEC?

15 General Questions Concerning Signing of the Root Zone Should DNSSEC be implemented at the root zone level? Why or why not? What is a viable time frame for implementation at the root zone level? What are the risks and/or benefits of implementing DNSSEC at the root zone level? Is additional testing necessary to assure that deployment of DNSSEC at the root will not adversely impact the security and stability of the DNS? If so, what type of operational testing should be required, and under what conditions and parameters should such testing occur? What entities (e.g., root server operators, registrars, registries, TLD operators, ISPs, end users) should be involved in such testing?

16 General Questions Concerning Signing of the Root Zone (continued) How would implementation of DNSSEC at the root zone impact DNSSEC deployment throughout the DNS hierarchy? How would the different entities (e.g., root operators, registrars, registries, registrants, ISPs, software vendors, end users) be affected by deployment of DNSSEC at the root level? Are these different entities prepared for DNSSEC at the root zone level and /or are each considering deployment in their respective zones? What are the estimated costs that various entities may incur to implement DNSSEC? In particular, what are the estimated costs for those entities that would be involved in deployment of DNSSEC at the root zone level?

17 Operational Questions Concerning Signing of the Root Zone The Department recognizes that the six process flow models discussed in the appendix may not represent all of the possibilities available. The Department invites comment on these process flow models as well as whether other process flow model(s) may exist that would implement deployment of DNSSEC at the root zone more efficiently or effectively. Of the six process flow models or others not presented, which provides the greatest benefits with the fewest risks for signing the root and why? Specifically, how should key management (public and private key sets) be distributed and why? What other factors related to key management (e.g., key roll over, security, key signing) need to be considered and how best should they be approached?

18 Operational Questions Concerning Signing of the Root Zone (continued) We invite comment with respect to what technical capabilities and facilities or other attributes are necessary to be a Root Key Operator. What specific security considerations for key handling need to be taken into account? What are the best practices, if any, for secure key handling? Should a multi-signature technique, as represented in the M of N approach discussed in the appendix, be utilized in implementation of DNSSEC at the root zone level? Why or why not? If so, would additional testing of the technique be required in advance of implementation?

19 Appendix A: The Six Models The first three of the process flows described below assign the responsibilities of Root Zone Signer, Root Key Operator, and key publishing among the existing parties to the root zone file management process or to a new, as yet unspecified, third party without materially changing the other pre- existing roles and responsibilities. The fourth model represents a variation of previous models, while changing the current root zone management process flow. The fifth model is also a variation of previous models, while maintaining the current root zone management process flow. The sixth model describes a process flow in which more than one third party, as yet unspecified, are introduced as Root Key Operators, which can be applied to all the previous process flows. [continues] See

20 Update 2: ICANN Security and Stability Advisory Committee Memorandum

21

22 Update 3: Dot Gov and DNSSEC

23 OMB: dot gov will be signed by January August 22nd, 2008

24 Update 4: Nominet/Corecom Test of Broadband Routers and Firewalls DNSSEC-CPE-Report.pdf

25

26 Update 5: ccTLDs (and other TLDs)

27 Signed ccTLDs (and Other TLDs) bg br cz museum pr se Sure love to see dot edu join that list :-) Dot org may beat us to it, however.

28 Dot Org

29

30

31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.