1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Reverse DNS SIG Summary Report APNIC Annual Member Meeting Bangkok, March
Review iClickers. Ch 1: The Importance of DNS Security.
1 ICD10 Project Status January 31, Current Timelines and Status - ICD10 Detailed Project Planning is progressing Key internal project milestones.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
ProjectWise Overview – Part 1 V8 XM Edition
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
February 25, Infrastructure-ENUM Secure, Private, Next Generation Addressing Infrastructure Douglas J. Ranalli Founder, Chief Strategy Officer NetNumber,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
By: Surapheal Belay ITEC ABSTRACT According to NIST SP : “ Mail servers are often the most targeted and attacked servers on an organization’s.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
IRP, Inc. Update 2012 IFTA Annual Business Meeting Grand Rapids, Michigan.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
Information Assurance Policy Tim Shimeall
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
LAT Environmental Test PDR1 GLAST LAT Project3-4 May 2005 LAT Environmental Test Planning and Design Review 3-4 May 2005 NRL-SLAC Networking LAT Environmental.
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
CD FY08 Tactical Plan Status FY08 Tactical Plan Status Report for Network Infrastructure Upgrades Rick Finnegan April 22, 2008.
Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Forgery Resilience Phase #2 Ólafur Guðmundsson
Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.
PROJECT TITLE Name Date Etc. PROJECT OVERVIEW & PROGRESS: SLIDE 1 Bullet.
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
1 Networking for the Future of Science The Coming Internet Crisis in Routing and Addressing: An Overview R. Kevin Oberman Senior Engineer
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Linux Operations and Administration
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
STRONG security that fits everywhere. NTRUSign and P William Whyte,
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.
Maricopa Association of Governments (MAG) February 5, 2003.
05 October 2010 HMA-FO Task 2: Feasibility Analysis Service HMA Follow On Activities Task 2: Feasibility Analysis Service (Sensor Planning Service) Monthly.
Jefferson Lab Site Update February 25, 2014 Bryan Hess
DOE /ESnet-related IPv6 Activities Phil DeMar HEPix IPv6 Workshop (CERN) Sept. 6,
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Switchvox SMB 4.6 for your peace of mind
Cross-site problem resolution Focus on reliable file transfer service
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNSSEC Operations in .gov
Working at a Small-to-Medium Business or ISP – Chapter 7
R. Kevin Oberman ESnet February 5, 2009
Working at a Small-to-Medium Business or ISP – Chapter 7
Working at a Small-to-Medium Business or ISP – Chapter 7
What DNSSEC Provides Cryptographic signatures in the DNS
Future DNSSEC Directions
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNSSEC Status Update in UA
Presentation transcript:

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory

2 Overview Why is ESnet implementing DNSSEC? What is required? UPDATED How will DNSSEC be implemented in ESnet? o NIST SP Implementation recommendations - o NIST SP Rev. 1 -FISMA Requirements -

3 What is Required? OMB mandate in NIST SP Rev. 1 o TSIG for zone transfers -Has operational advantages beyond security enhancement -Firewall rules may cause issues -Required by SC-8 (Not obvious!) o Signed data only required by medium and high impact systems -Seems silly if it is not a general requirement -In SC-20 through SC22

4 Where is ESnet ? TSIG authentication of all zone transfers o Partly implemented o Most larger sites are using it o Some sites have old software lacking support o Some sites have firewall rules which complicate issues Signing of all forward zones o Test server is in service and working o As expected, key management IS a pain

5 Status of Implementation TSIG is currently implemented for several sites o Mandatory for new sites o PGP used for key distribution Signed data o Still not running on production servers -Will be in a few weeks o Our DNS management software does not support DNSSEC today (coming soon!) o No implementation problems on BIND systems o Still worried about key distribution and roll-over o Still targeting full production by mid-2008

6 Summary Progress has been made Requirements are now known o None (for ESnet) Hope for full implementation of TSIG by the end of the year Signed zones by the end of the year (ESnet zones) Still waiting on a final resolution to NSEC issue o Almost certainly NSEC3 o Will not ask sites to sign zones until resolved o That does not mean that you can't sign

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.