© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

Review iClickers. Ch 1: The Importance of DNS Security.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

DNS and DNSSec Eustace Asanghanwa Andrew Bates Shane Jahnke Brian Wilke.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

Technical Area Report Byron Ellacott, Technical Area Director 1.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

What if Everyone Did It? Geoff Huston APNIC Labs.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Increasing the Zone Signing Key Size for the Root Zone

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

State of DNSSEC deployment ISOC Advisory Council

What DNSSEC Provides Cryptographic signatures in the DNS

Neda Kianpour - Lead Network Engineer - Salesforce

Presentation transcript:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by: Roland LaPlante SVP, Chief Marketing Officer Afilias

© Afilias Limitedwww.afilias.info 2 Agenda DNSSEC is coming ! DNSSEC is BIG ! How to protect your TLD Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info DNSSEC is at the tipping point BarriersIncentives New hw & sw solutions Testbed deployments Signed TLDs:.org,.gov,.se Signed Root CostsComplexity NO YES Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info DNSSEC is coming Several TLDs have signed their zones already –.ORG,.GOV,.SE,.PM, BR, BG, CZ, PR (.com plans early 2011) Plans in place for domains to be signed as well The root to be signed in July, 2010 – May 5: DURZ deployed to all 13 root servers (deliberately unvalidatable root zone) for observation – July: Distribution of validatable, production, signed root zone; publication of root zone trust anchor.ORG deploying DNSSEC for second level domains in June, 2010 All ICANN new TLDs will be required to have DNSSEC at launch Afilias: supports.ORG’s deployment; provides secondary DNSSEC ready DNS service for.SE Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info 1.DNS loads WILL increase for 3 reasons: Larger Zone File Size Greater Bandwidth Requirements More Traffic DNSSEC is BIG—really! Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info 1.For EVERY signed domain, your zone file will now have to store and provide: Digital signer record to point to the Public Key Signature records 2.On average, you should expect your zone file to increase 4-6 times its current size. More data = more space Zone File increases Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info 1.DNSSEC responses contain more information Initial DNS response (e.g.: for SOA record), PLUS RRSig DNSKey 2.A DNSSEC response is about 4k vs. 512b for a regular DNS query 3.Factor in more bandwidth and processing power to handle larger responses for EACH DNSSEC QUERY 4.Extra Bandwidth requirement: 2-4x (estimated) Bandwidth increases Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info More TCP queries: DNS uses UDP, a lightweight protocol, to return responses for DNS queries. BIND 9.4.x (and earlier versions) limit UDP responses to 512 bytes Since DNSSEC information is larger (~4k), responses can be truncated Those who use UDP may resend a TCP query to get DNSSEC info **Most signed TLDs report 1-2% TCP traffic increase. Key Rollover: No industry standards for key storage down the “chain of trust” (until root validates) If a validating resolver caches an out of date key, you could see query traffic increase for those that need to renew the key Traffic impact: +1% in TCP traffic? Hard to estimate until the root is signed Traffic Increases Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info The most ubiquitous DNS software – BIND – already asks for DNSSEC information built in This means you will be serving signature information as soon as you sign 50% of the traffic Afilias sees TODAY asks for DNSSEC information How will you be ready for the increases in load? Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info 1.Reduces the risk of load increases from DNSSEC deployment – Effortlessly handle significant increases in DNS load once you sign your TLD with DNSSEC. – Economical and risk-free way of ensuring 100% DNS up-time when deploying DNSSEC. 2.Guarantees 100% uptime of your DNS (regardless of DNSSEC) – Insurance against unexpected traffic spikes. – Protection in case of a full network outage by DDoS. – Protection from zero day vulnerabilities. 3.Augment your existing DNS network – Minimizes the expenses and capital requirements to expand your existing DNS network. Why consider secondary DNS? Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info Afilias offers secondary DNS Secondary DNS services Primary DNS services Complete Registry + DNS services Special Offer: FREE 45 days of Secondary DNS Support for ccTLDs that sign their zone with DNSSEC Special Offer: FREE 45 days of Secondary DNS Support for ccTLDs that sign their zone with DNSSEC Speaker: Roland LaPlante

© Afilias Limitedwww.afilias.info SM Thank you! Roland LaPlante