DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
Oct 15 th, 2009 OGF 27, Infrastructure Area: Status of FVGA-WG Status of Firewall Virtualization for Grid Applications - Working Group
PWG Instructions for the WG Chair At Each Meeting, the Working Group Chair shall: Show slides #2 and #3 of this presentation Advise the WG membership that:
Review iClickers. Ch 1: The Importance of DNS Security.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
IETF-751 Olafur Gudmundsson Andrew Sullivan.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
Tcpsecure ipr 1 Cisco IPR Disclosure Relating to tcpsecure Scott Bradner
Ogud at ogud dot com DNS implementations guide Ólafur Guðmundsson DNSEXT chair
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
ICANN - Cape Town 11/30/2004 DNSSEC and the Zone Enumeration Andreas Baess DENIC eG
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.
Implementing Active Directory Lesson 2. Skills Matrix Technology SkillObjective DomainObjective # Installing a New Active Directory Forest Configure a.
Doc.: IEEE /0930r0 Submission July 2006 Nancy Cam-Winget, Cisco Slide 1 Editor Updates since Jacksonville Notice: This document has been prepared.
SIRs, or AIRs, or something draft-carpenter-solution-sirs-01.txt Brian Carpenter without consulting my co-author Dave Crocker IETF 57, 07/03.
DNSSEC Deployment Initiative: Roadmap Version 2.0 Suresh Krishnaswamy, SPARTA Steve Crocker, Shinkuro, Inc.
This is the DNSEXT Working Group (where the microphones are at Scandic hights) San Diego IETF60
This is the DNSEXT Working Group Minneapolis IETF 62
Forgery Resilience Phase #2 Ólafur Guðmundsson
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Deterministic Fast Router Advertisement Configuration Update draft-daley-dna-det-fastra-01.txt Presenter: Greg Daley.
How to use DNS during the evolution of ICN? Zhiwei Yan.
1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.
1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.
Olaf M. Kolkman. IETF55, November 2002, Atlanta GA. 1 key-signing key flag [1] & wildcard-optimization [2] Olaf Kolkman [1] with.
SRI International 1 Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) Richard Ogier September 21, 2002.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNSSEC allocations DNSEXT chairs IETF-75 Stockholm 2009/07/29.
Moving towards an IRS WG Charter Ross Callon IETF 85, Atlanta.
IETF Scott Bradner editor, IPR rules documents.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
NETLMM BOF IETF 64 James Kempf, DoCoMo Labs USA Phil Roberts, Motorola Labs November 7, 2005.
DNSEXT at IETF-83 Paris 2012/3/27 at 17:10 – 18:10 Ólafur Guðmundsson Andrew Sullivan.
Slide 1 August 2005, Paris, FranceIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy.
Slide 1 November 2005, Vancouver, BCIETF DNSEXT 2929bis etc. Donald E. Eastlake 3 rd
Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007.
March 2006 Richard Paine, BoeingSlide 1 doc.: IEEE /0261r0 Submission 11k Denver Ad Hoc Agenda Notice: This document has been prepared to assist.
Let’s Encrypt and DANE ENOG 11 | Moscow | 8 Jun 2016.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Team IETF 99 Hackathon.
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
DNSSEC Basics, Risks and Benefits
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
TGi Preliminary Agenda
Presentation transcript:

DNSEXT-63 Next steps in Trust Anchor Management for DNSSEC Ólafur Guðmundsson

Current Status 2 drafts: –Threshold n out of m –Timers IPR claim filed against both drafts –Patent is issued in Israel –License terms Royalty free –Clause about references causes problems for some implementers IPR holder wants to update IPR statement with new terms but not posted yet

Larger picture Lack of DNSSEC KEY management is may soon become the excuse “de Jour” for not doing DNSSEC Large TLD’s will not deploy DNSSEC any time soon without a market.  In early deployment “configured” trust anchors will be the rule  The need for configured trust anchors may never go away

Next steps: WG needs to get more active on this issue or DROP IT completely WG owes the proposals: –DISCUSSION –FEEDBACK –Selection criteria –Timeline

Why we need Trust Anchor Management (TAM) Secure Entry Points.SE enables all domains with DS to be trusted Root will always need TAM. COMORG “.” DE ISUKSE IETF OGUDISOCDENIC wwwOPS RFCPAF

Trust Anchor: Timers One optional protocol change –DNSKEY Revoke bit  Invalidates DS/DNSKEY fast, this is a revocation schema for DNSSEC  “immediately” is within the traditional DNS sense of:  zone update propagation delay + TTL

Resolver Trust Anchor State Machine NB: Differs slightly from ID version!

Trust Anchors: n out of m Larger DNSKEY set required

The state machine

Open Mike Comments on proposals Comments

Next Step Advance –One –Both –Neither Take discussion to mailing list

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.