© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

APNIC Member Services George Kuo. MyAPNIC 2 What is MyAPNIC A secure Member services website Internet resources management, for example: –Whois updates.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Securing the Government’s DNS Infrastructure with DNSSEC

I’m the credentialing officer, what do I do? 2011.

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

IIT Indore © Neminath Hubballi

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Technical Area Report Byron Ellacott Technical Area Manager.

DNSSEC deployment in NZ Andy Linton

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

U.S. General Services Administration Office of Governmentwide Policy GSA EXPO May 4, 2010 Lee Ellis U.S. General Services Administration Office of Governmentwide.

Test and Review chapter State the differences between archive and back-up data. Answer: Archive data is a copy of data which is no longer in regular.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

Universal Acceptance of All TLDs ALAC 24 June 2012.

OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

Aug 2008 KRNIC of NIDA KRNIC Updates.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Moving Your RCRs Online Led by Bethany Boyle

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

DNS operator transfers with DNSSEC

DNSSEC Status Update in UA

The Curious Case of the Crippling DS record

.uk DNSSEC Status update

Applying for a Passport 101

Presentation transcript:

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan

© Afilias Limitedwww.afilias.info DNS Admin – Pre DNSSEC Initial Setup (occurs once) Setup conf file with original zones and parameters Set serial to first value, and add in resource records Operations (Very Infrequently): Add to conf file when new zone comes online Make change to resource records and increment serial Monitoring: check that update made just happened and hit secondaries check that DNS, NTP is running check that transfers are working

© Afilias Limitedwww.afilias.info DNS Admin – Post DNSSEC DNSSEC Setup (occurs once) Decide on signing solution, signing frequency, signature expiration, key rolls Generate initial keys Sign zone(s) initially Make sure registrar supports DNSSEC Generate initial DS records - and send to registrar DNSSEC operation (very infrequently) Generate new keys Generate new DS record (if rolling KSK), send to registrar Begin signing with new keys Deprecate old keys at appropriate time

© Afilias Limitedwww.afilias.info DNSSEC Admin – Post DNSSEC continued DNSSEC operation (frequent) Re-sign zone Sign new records as they come into the zone Monitoring Check signatures are valid Check NSEC / NSEC3 records are valid Check signatures will not expire before next zone re-sign Check zone re-signs work and transfer Check that new keys are valid Check signature with new keys valid Ensure DS in parent is in sync w/ DNSKEYs in apex

© Afilias Limitedwww.afilias.info Current IANA process

© Afilias Limitedwww.afilias.info IANA process – Challenges The IANA process requires confirmation from BOTH admin and tech contacts for publication. Contacts can change jobs Contacts can change locations Keeping IANA contact information current may not be top priority for some TLD operators IANA will not approve changes which may affect stability/service for the TLD Nameservers in in the TLDs apex NS Set must be upgraded to "DNSSEC-Ready" versions