Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Slides:

Advertisements

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Advertisements

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

< APTLD in BUSAN, 2011/08/25 > DNSSEC Update in .KR KISA

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

FlareCo Ltd ALTER DATABASE AdventureWorks SET PARTNER FORCE_SERVICE_ALLOW_DATA_LOSS Slide 1.

High-Level Awareness of DNSSEC KENIC/NSRC Workshop, Nairobi, May 2011 Phil Regnauld Joe Abley

DESIGNING A PUBLIC KEY INFRASTRUCTURE

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Copyright line. Configuring DNS EXAM OBJECTIVES  An Introduction to Domain Name System (DNS)  Configuring a DNS Server  Creating DNS Zones  Configuring.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

11 MANAGING AND MONITORING DHCP Chapter 2. Chapter 2: MANAGING AND MONITORING DHCP2 MANAGING DHCP: COMMON DHCP ADMINISTRATIVE TASKS  Configure or modify.

DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,

DNSSEC deployment in NZ Andy Linton

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

Windows 2000 Certificate Authority By Saunders Roesser.

Module 15 Managing Windows Server® 2008 Backup and Restore.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:

Trust Bundle Publisher Create Unsigned Trust BundleCreate Signed Trust Bundle C:\TrustAnchors Trust Anchor Directory Create Bundle Browse … Optional Meta.

Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

DNSSEC Operations in .gov

NIC Chile Secondary DNS Service History and Evolution

R. Kevin Oberman ESnet February 5, 2009

Managing Name Resolution

PLANNING A SECURE BASELINE INSTALLATION

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

Presentation transcript:

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008

The Design Goal: Secure DNSSEC Automation on a Trusted Computing Platform a turnkey DNSSEC Signer appliance Plug-n-Play DNSSEC-in-a-box Just set it and forget it. Built on a secure Trusted Computing Platform Private Signing Keys must be kept safe – they are NEVER in the clear The DNSSEC SIGNER runs on an platform designed from the ground up to prevent malware, rootkits and other attacks from compromising the machine. FIPS certification pending (in testing lab)

Simple to Configure SERVER: # Default signing policy Dnssec-automate: ON Dnssec-notify: Dnssec-ksk: 1024 RSASHA1 Dnssec-ksk-rollover: ,8 * Dnssec-ksk-siglife 7D Dnssec-zsk: 2048 RSASHA1 Dnssec:zsk-rollover: * * Dnssec-zsk-siglife 7D Dnssec-nsec-type: nsec3 Dnssec-nsec-settings: OPT-OUT 12 aabbccdd ZONE: Name: myzone. File: myzonefile Dnssec-nsec-type: nsec … DNSSEC can be deployed in days, not months Configuration file 1-line automation Optional parameters to override defaults Can be applied system-wide or zone by zone

Compatible With Current Infrastructure Provisioning System (IPAM, Registry, Hidden Master, Etc.) Secure64 DNS Slave BIND Slave NSD Slave Microsoft DNS Slave Unsigned Zone Data Signed Zone Data Secure64 DNS Signer SCP, AXFR, IXFR (incremental signing)

A Few Initial Design Principles The provisioning system owns the DNS zone data Dont touch the original zone data Never permit private keys to be in plaintext Avoid insider attacks Assume the DNS Administrator knows little about DNSSEC, wants to do less, and will make errors Use Best Practice defaults for all parameters Manage Errors & Failures: Backup, fail-over, error detection

The Reality Check Designing for the mainstream… Or for 3-sigma out? Design for the extremes and the normal cases will take care of themselves

Designing for Dynamic Data ISPs & TLDs: new customers result in new delegations Enterprise: Active Directory & DHCP Example: TLD with millions of RRs Updates every minute How to deal with NSEC3 pre-hash calculation (hint: you dont) static hourly every minute The need for speed daily

Where does this have an Impact? Key Generation Potentially an enormous number of keys Real-time or pre-generated in a keypool Bulk Signing and Scheduled Re-signing can take lots of time And the duty cycle may be too short NSEC3 pre-hash may take too long to calculate Metadata Management (including backup & recovery) Private keys Rollover state Serial number management Synchronization of Parent-Child DS records and coordination with KSK rollover

System block diagram

Whats in the MetaData? Per Zone Information not contained in nsd.conf Signing Keys – private & public Active, Standby, Revoked Serial # ZSK & KSK state data for rollover parent DS info etc nsd.conf specifies attributes such as key length, algorithm, signature life, etc.

Dealing with Serial Numbers Remember the prime directive: Dont mess with the original zone data The provisioning system owns the data and its serial number But…. An automatic re-signing must increment the serial number in order to issue a NOTIFY to slaves Need to leave room for N automatic increments We will NOT increment if new serial # higher than the serial number saved in our metadata Incremental transfers (IXFR from provisioner to the signer) already increment the serial number.

Dealing with Delegation Phased Product Rollouts to Improve Parent-Child Synchronization Child polls parent (needed to finish KSK rollover) Parent polls child Integration with –EPP –IPAM systems Automatic provisioning of DS record when administrator allows Publish DS and DNSKEY records send to parent if parent is signed send Trust-Anchors to TAR if parent isnt signed May help with issues raised on current discussion regarding.MUSEUM Polling parent may find rogue DS record or lame delegation – Danger, Will Robinson

Secure Key Storage & Backup TPM migration of master keys Wraps keys to alternate TPM so master keys are never in clear Copy encrypted MetaData to backup storage server Automatic after each re-signing with timestamp

Secure MetaData Backup & Recovery Primary SignerBackup Signer Storage Server 1.One-time TPM migration of master keys 2.synchronized backup of encrypted metadata 3.Or synchronized backup of encrypted metadata to a storage server Migration mechanism allows multiple signers owned by different organizations to backup to a community resource

Side Note: Do keys get stolen? Tuesday, Aug 26 e-week article

Secure64 DNS Signer

Backup Slides Follow….

OpenDNSSEC architecture with KASP

Eventual integration with XML KASP