Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Slides:

Advertisements

Similar presentations

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March

Advertisements

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Identity Management and DNS Services Tianyi XING.

IIT Indore © Neminath Hubballi

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

Mar 3, 2006APNIC 21 Meeting -- Perth, AU1 IANA Status Report David Conrad, ICANN IANA General Manager.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Delivering Value Sanjaya, Services and Operations Director.

Leo vegoda. APNIC 14, 3–6 Sept. 2002, Kitakyushu, Japan. 1 RIPE NCC Status Report at APNIC 14 Looking forward to winter…

Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

News from APNIC German Valdez Communications Area Manager RIPE October 2008.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

AFRINIC Update Madhvi Gokool Registration Service Manager RIPE66 meeting, Dublin May 2013.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Services Area Report Sanjaya Services Area Director.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

RIPE NCC ENUM Update Anand Buddhdev DNS Services Manager, RIPE NCC.

Lecture 20 DNS Sec Slides adapted from Olag Kampman

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

DNSSEC Basics, Risks and Benefits

A New Approach to DNS Security (DNSSEC)

Introduction to the DNS system

NET 536 Network Security Lecture 8: DNS Security

ICANN/IANA Update at APNIC 29

NET 536 Network Security Lecture 6: DNS Security

Joint IPv6 Forum/IPv6 SIG APNIC 15, Taipei, Taiwan 26 February 2003

News from APNIC ARIN XXII 16 October 2008.

Policy SIG Open Action Items

Policy SIG Thursday 26 February Manila, Philippines

IPv6 distribution and policy update

AMM APNIC 15, Taipei, Taiwan 28 Feb 2003

The Curious Case of the Crippling DS record

DNS operations SIG APNIC 17 Kuala Lumpur, Malaysia

Presentation transcript:

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC on 1 page Data authenticity and integrity by SIGning the resource records Public KEYs can be used to verify the SIGs Children sign their zones with their private key. The authenticity of their KEY is established by a SIGnature over that key by the parent In the ideal case, only one public KEY needs to be distributed off-band

Olaf Kolkman. APNIC, 6 February 2014, Bangkok. Why DNSSEC on in-addr Delegations follow topology –Allocation/assignment can be used to verify childs key authority –First (proposed) applications use reverse tree (IP- SEC) RIPE NCC is authoritative for top nodes of the tree. –We can gain experience and may make a difference

Olaf Kolkman. APNIC, 6 February 2014, Bangkok. Why not yet RFC 2535 has been around for a few years We started working on DNSSEC about 1.5 years ago, at the same time other groups started deployment Operation to troublesome –Mainly key-rollover Fixes needed in the protocol

Olaf Kolkman. APNIC, 6 February 2014, Bangkok. Fixes, what fixes? DS RR –Delegation from parent to child –Solves key rollover problems –Backward incompatible NXT OPT-IN –Scaling problems for large zones –Opt-In allows for slowly introducing DNSSEC –Loss of authenticated denial

Olaf Kolkman. APNIC, 6 February 2014, Bangkok. Whats next Waiting for protocol to settle –Depends on IETF process –Implementation needs to be available –This may all happen in about 1-2 months Test code and work towards implementation –Deployment on reverse tree expected around Q4