1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Review iClickers. Ch 1: The Importance of DNS Security.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi
ENUM? “ Telephone Number Mapping (ENUM or Enum, from TElephone NUmber Mapping) is a suite of protocols to unify the telephone numbering system E.164 with.
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Providing Application- Level Assurances Using DNSSEC Suresh Krishnaswamy SPARTA, Inc. dba Cobham Analytic Solutions (suresh AT sparta DOT com)
Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.
Security and Stability of Root Name Server System Jun Murai (From the panel on Nov. 13 th by Paul Vixie, Mark Kosters, Lars-Johan Liman and Jun Murai)
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
International Telecommunication Union ENUM Implementation Robert Shaw ITU Internet Strategy and Policy Advisor International Telecommunication Union ICANN.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Deploying DNSSEC. Pulling yourself up by your bootstraps João Damas ISC.
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
Lecture 20 DNS Sec Slides adapted from Olag Kampman
State of DNSSEC deployment ISOC Advisory Council
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
DNSSEC Basics, Risks and Benefits
Managing Name Resolution
What DNSSEC Provides Cryptographic signatures in the DNS
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Presentation transcript:

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker Suresh Krishnaswamy Russ Mundy

2 REAL threats dropboxes on servers operated by some random hosting company –Do you trust those MX records? Ops procedures depending on reverse lookups (e.g. Traceroute, SMTP logs) Bogus NAPTRs reroute VoIP Anti-spam data in the DNS

3 Why now? DNSSEC protocol specifications are finally(!) complete* Big strides taken to make DNSSEC operationally viable Considerable time spent in making the specs robust Coordinated global effort to grow the deployed base * "This time for sure!" -- Bullwinkle J. Moose

4 DNSSEC Services Protocol Extensions to DNS provide –Data Integrity –Origin Authentication of DNS data –Authenticated Denial of Existence Meta-protocol elements (TSIG, SIG(0)) provide channel security –Secure zone transfer –“Last Hop” security DNSSEC does not provide confidentiality of data DNSSEC does not protect against DoS attacks

5 End-to-End protection signs this com. example.com sub.example.com Trusted DS DNSKEY A x.sub.example.com signs this refs

6 Typical DNS operations Child zoneParent zone Unsigned Parent Zone File (containing delegation to child) Unsigned child Zone File Wait for the correct NS to appear Reload the parent zone Reload the child zone Exchange of the delegation information NS/ glue information

7 Typical DNSSEC operations Child zoneParent zone Keyset File (from child) Secure Exchange of Keyset Unsigned Parent Zone File (containing delegation to child) Reload the parent zone Wait for the correct DS to appear Reload the child zone Unsigned child Zone File Gen keys DSset Signed Zone File) Keyset File Zone Signing operation Zone Signing Operation Signed Zone File (with child’s DS) Keyset File DSset File Generate keys

8 Registrant-Registrar-Registry Setup Registr ant Registry Wait for DS Keyset File (from child) DSset Signed Zone File Keyset File Sign Zone Signed Zone File Keyset File DSset File Reload child zone Unsigned child Zone File Reload parent zone Unsigned Parent Zone File Keyset File (from child) Secure Exchange of Keyset Registrar Gen keys

9 Registrant (Enterprise) view – What is different? Key gen and Key mgmt Zone signing operations Nameserver provisioning Need to securely transmit DNSSEC-related info to registrar Security from validating resolvers to non- validating stubs Incident handling

10 Registrar view – What is different? Need to securely receive DNSSEC-related information from the registrant Need to securely transmit DNSSEC-related info to registry Incident handling

11 Registry view – What is different? Need to securely receive DNSSEC-related information from the registrar Need to create the secure delegation in the parent zone Key generation and Key management operations Zone signing operations Nameserver provisioning –Size of zone data increases because of signatures –More computational power needed (crypto operations can take time) –Synchronized time (signatures have temporal dependency) Incident handling

12 Summary of existing DNSSEC tools Key generation tools Zone signing tools Zone checking tools Authoritative name server implementations Security-aware recursive (SAR) name server implementations

13 Tools – present and missing RegistrantRegistry Wait for the correct DS to appear Keyset File DSset Signed Zone File) Zone Signing operation Unsigned child Zone File Zone Signing Operation Signed Zone File (with child’s DS) Keyset File DSset File Unsigned Parent Zone File (containing delegation to child) Keyset File (from child) Registrar Reload the parent zone Reload the child zone EPP Extensions Generate keys Zone signing/ checking tools Key Generation tools Authoritative Nameserver SAR Nameserver Out of band

14 Various Ongoing Work Creation of tools, especially for troubleshooting and key management Development of policy and procedure guidance documents Creation of DNSSEC-aware end systems and applications –Need to define requirements and policies –Solving “last-hop” issues Trust anchor key rollover and distribution Prevention of zone walking

15 Enterprise-wide Experiments “Shadow” deployment efforts are ongoing –Mirroring DNSSEC operations in a non- production namespace to evaluate operational impact Workshops conducted for operators to gain familiarity and build faith in existing set of tools and procedures Some sites are already running signed DNSSEC zones

16 EPP extensions for DNSSEC EPP allows registrars with different operational models to access multiple registries via the same protocol Provisioning of DNS security extensions (DNSKEY, RRSIG, DS) Work In Progress

17 Registry-level Experiments NLnet (.nl) – Netherlands – NIC-SE (.se) – Sweden – JPRS (.jp) – Japan –DNSSEC field test in conjunction with ENUM trial ( Verisign (.net DNSSEC pilot) – U.S. – Verisign DLV (.com/.net) – U.S. –

18 Application-level Experiments SSH –Out-of-band verification of server public keys by looking up the fingerprint in the SSHFP resource record in DNS ( –Implementation in openSSH IPsec –Using the IPSECKEY RR to store data such as the public key and the gateway information for creation of IPsec tunnels ( –ipseckey patch for BIND-9.3.0

19 Hard(er) Problems Privacy – Not originally a goal Root key – Politically charged Killer app – Will DNSSEC be a “must have” Too many “trust anchors” until tree is filled in

20 DNSSEC Resources The DNSSEC deployment Working Group home page – Comprehensive DNSSEC resource page – Software –BIND ( –NSD ( –Net::DNS::Sec (